DescriptionLukas Slebodnik
2018-06-16 10:17:12 UTC
SELinux is preventing systemd-journal from map access on the file /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal default label should be var_log_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that systemd-journal should be allowed map access on the system.journal file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
# semodule -i my-systemdjournal.pp
Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context system_u:object_r:container_log_t:s0
Target Objects /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/
system.journal [ file ]
Source systemd-journal
Source Path systemd-journal
Port <Unknown>
Host host.example.com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-204.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name host.example.com
Platform Linux host.example.com
3.10.0-905.el7.x86_64 #1 SMP Wed Jun 13 13:48:50
EDT 2018 x86_64 x86_64
Alert Count 22347
First Seen 2018-06-16 04:55:47 EDT
Last Seen 2018-06-16 05:04:48 EDT
Local ID cd72b6f5-889e-42a0-b7a1-f0b47be0810c
Raw Audit Messages
type=AVC msg=audit(1529139888.617:22956): avc: denied { map } for pid=908 comm="systemd-journal" path="/var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal" dev="dm-0" ino=68133542 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=0
Hash: systemd-journal,syslogd_t,container_log_t,file,map
Probably need one of those similar patches,
https://github.com/fedora-selinux/selinux-policy/pull/208
# rpm -qa | grep selinux
selinux-policy-targeted-3.13.1-207.el7.noarch
selinux-policy-3.13.1-207.el7.noarch
libselinux-utils-2.5-13.el7.aarch64
libselinux-2.5-13.el7.aarch64
libselinux-python-2.5-13.el7.aarch64
container-selinux-2.68-1.el7.noarch
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3111
SELinux is preventing systemd-journal from map access on the file /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal default label should be var_log_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd-journal should be allowed map access on the system.journal file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal # semodule -i my-systemdjournal.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:container_log_t:s0 Target Objects /var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/ system.journal [ file ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-204.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.com Platform Linux host.example.com 3.10.0-905.el7.x86_64 #1 SMP Wed Jun 13 13:48:50 EDT 2018 x86_64 x86_64 Alert Count 22347 First Seen 2018-06-16 04:55:47 EDT Last Seen 2018-06-16 05:04:48 EDT Local ID cd72b6f5-889e-42a0-b7a1-f0b47be0810c Raw Audit Messages type=AVC msg=audit(1529139888.617:22956): avc: denied { map } for pid=908 comm="systemd-journal" path="/var/log/journal/72f5bc79a4d24f1d9ce24f2748849a79/system.journal" dev="dm-0" ino=68133542 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:container_log_t:s0 tclass=file permissive=0 Hash: systemd-journal,syslogd_t,container_log_t,file,map