Bug 1673847

Summary: SELinux is preventing /usr/lib/systemd/systemd-journald from using the 'signull' accesses on a process.
Product: [Fedora] Fedora Reporter: Matt Fagnani <matt.fagnani>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, dwalsh, lvrabec, mgrepl, mikhail.v.gavrilov, msekleta, nicolas.mailhot, plautrba, ppywlkiqletw, pwhalen, zbyszek, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: abrt_hash:ce08e5073f70ac9b65a5171d53193c9abbe8f2a25021ee7b0914972aae8e6552; openqa
Fixed In Version: selinux-policy-3.14.4-8.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1676923 (view as bug list) Environment:
Last Closed: 2019-04-05 17:58:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch -m AVC,USER_AVC,SELINUX_ERR -ts boot output none

Description Matt Fagnani 2019-02-08 09:53:44 UTC 
Description of problem:
I upgraded to systemd-239-10.git4dc7dce.fc29 from koji. The next time I started my system after the systemd update, I saw a large number of denials of systemd-journald sending signull to processes with about 14 different labels as shown in the setroubleshooter. 20 denials of signull on auditd_t appear to have been the most frequent by label. The denials continued after I logged into Plasma and was using it. I'll attach the audit log with the denials.

SELinux is preventing /usr/lib/systemd/systemd-journald from using the 'signull' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-journald should be allowed signull access on processes labeled auditd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
# semodule -X 300 -i my-systemdjournal.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:system_r:auditd_t:s0
Target Objects                Unknown [ process ]
Source                        systemd-journal
Source Path                   /usr/lib/systemd/systemd-journald
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-239-10.git4dc7dce.fc29.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-48.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.20.7-200.fc29.i686 #1 SMP Wed
                              Feb 6 19:19:30 UTC 2019 i686 i686
Alert Count                   20
First Seen                    2019-02-08 04:19:05 EST
Last Seen                     2019-02-08 04:47:56 EST
Local ID                      b5ca00c0-668d-4639-9346-9ad0b858de66

Raw Audit Messages
type=AVC msg=audit(1549619276.640:574): avc:  denied  { signull } for  pid=590 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=0


type=SYSCALL msg=audit(1549619276.640:574): arch=i386 syscall=kill success=no exit=EACCES a0=2ca a1=0 a2=b7f23f28 a3=2ca items=0 ppid=1 pid=590 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null)

Hash: systemd-journal,syslogd_t,auditd_t,process,signull

Version-Release number of selected component:
selinux-policy-3.14.2-48.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         4.20.7-200.fc29.i686
type:           libreport
Comment 1 Matt Fagnani 2019-02-08 10:14:15 UTC 
Created attachment 1528021 [details]
ausearch -m AVC,USER_AVC,SELINUX_ERR -ts boot output

This attachment is the output of 
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts boot > ausearch-systemd-journald-1.txt after booting with systemd-239-10.git4dc7dce.fc29.
The denials involve systemd-journald with label syslogd_t using signull on processes with the following labels: unconfined_service_t, rpm_t, mount_t, alsa_t, fsdaemon_t, modemmanager_t, auditd_t, devicekit_disk_t, cupsd_t, systemd_logind_t, NetworkManager_t, xdm_t, accountsd_t, dhcpc_t.
Comment 2 Adam Williamson 2019-02-08 14:50:08 UTC 
openQA tests saw the same results as Matt - see all the tests that show up orange here: https://openqa.fedoraproject.org/tests/overview?distri=fedora&version=29&build=Update-FEDORA-2019-1fb1547321&groupid=2 . They're all orange (which is the kinda 'passed but with warnings' state) because a check for AVCs ran during those tests (it doesn't run in all the tests) and found AVCs. The same AVCs aren't showing up in other update tests, so they are definitely related to this update.
Comment 3 Zbigniew Jędrzejewski-Szmek 2019-02-08 15:58:40 UTC 
C&P from bodhi:

> I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.

> What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)

So, this bug should still present in rawhide, but not F29.

selinux maintainers: please allow kill(0, ...) to be done from systemd-journald. This is what systemd-journald started doing in this update, and I assume that this is what 'signull' means.

If possible, I'd also like to have this policy change in F29, if it's not too much work. Otherwise just F30+ is enough.
Comment 4 Adam Williamson 2019-02-08 16:29:50 UTC 
"What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)"

I do, but your recent systemd build (systemd-241~rc2-1.fc30) is not actually in any Rawhide compose yet. The last Rawhide compose was 2019-02-05. So no-one running Rawhide has it unless they got it from Koji manually.
Comment 5 Zbigniew Jędrzejewski-Szmek 2019-02-08 16:56:17 UTC 
Sorry, I'm on PTO and slightly out of the loop. I *should* have tested the update with selinux.
Comment 6 Matt Fagnani 2019-02-09 18:53:30 UTC 
I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.
Comment 7 Lukas Vrabec 2019-02-11 12:20:54 UTC 
*** Bug 1674109 has been marked as a duplicate of this bug. ***
Comment 8 Lukas Vrabec 2019-02-11 15:46:20 UTC 
commit 8258bc10ab4591c277398a872364355be7b15cd4 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 11 16:45:12 2019 +0100

    Allow syslogd_t domain to send null signal to all domains on system
    Resolves: rhbz#1673847
Comment 9 Villy Kruse 2019-02-12 10:31:27 UTC 
Description of problem:
This started after upgrading to systemd-241~rc2-2.fc30.x86_64

Version-Release number of selected component:
selinux-policy-3.14.3-20.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.0-0.rc5.git0.1.fc30.x86_64
type:           libreport