DescriptionMichal Sekletar
2019-02-13 15:48:40 UTC
We have the code which caused the denial also in RHEL so the fix should be backported to RHEL-8 version of the policy.
+++ This bug was initially created as a clone of Bug #1673847 +++
Description of problem:
I upgraded to systemd-239-10.git4dc7dce.fc29 from koji. The next time I started my system after the systemd update, I saw a large number of denials of systemd-journald sending signull to processes with about 14 different labels as shown in the setroubleshooter. 20 denials of signull on auditd_t appear to have been the most frequent by label. The denials continued after I logged into Plasma and was using it. I'll attach the audit log with the denials.
SELinux is preventing /usr/lib/systemd/systemd-journald from using the 'signull' accesses on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-journald should be allowed signull access on processes labeled auditd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
# semodule -X 300 -i my-systemdjournal.pp
Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context system_u:system_r:auditd_t:s0
Target Objects Unknown [ process ]
Source systemd-journal
Source Path /usr/lib/systemd/systemd-journald
Port <Unknown>
Host (removed)
Source RPM Packages systemd-239-10.git4dc7dce.fc29.i686
Target RPM Packages
Policy RPM selinux-policy-3.14.2-48.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.20.7-200.fc29.i686 #1 SMP Wed
Feb 6 19:19:30 UTC 2019 i686 i686
Alert Count 20
First Seen 2019-02-08 04:19:05 EST
Last Seen 2019-02-08 04:47:56 EST
Local ID b5ca00c0-668d-4639-9346-9ad0b858de66
Raw Audit Messages
type=AVC msg=audit(1549619276.640:574): avc: denied { signull } for pid=590 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1549619276.640:574): arch=i386 syscall=kill success=no exit=EACCES a0=2ca a1=0 a2=b7f23f28 a3=2ca items=0 ppid=1 pid=590 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null)
Hash: systemd-journal,syslogd_t,auditd_t,process,signull
Version-Release number of selected component:
selinux-policy-3.14.2-48.fc29.noarch
Additional info:
component: selinux-policy
reporter: libreport-2.10.0
hashmarkername: setroubleshoot
kernel: 4.20.7-200.fc29.i686
type: libreport
--- Additional comment from Matt Fagnani on 2019-02-08 11:14 CET ---
This attachment is the output of
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts boot > ausearch-systemd-journald-1.txt after booting with systemd-239-10.git4dc7dce.fc29.
The denials involve systemd-journald with label syslogd_t using signull on processes with the following labels: unconfined_service_t, rpm_t, mount_t, alsa_t, fsdaemon_t, modemmanager_t, auditd_t, devicekit_disk_t, cupsd_t, systemd_logind_t, NetworkManager_t, xdm_t, accountsd_t, dhcpc_t.
--- Additional comment from Adam Williamson on 2019-02-08 15:50:08 CET ---
openQA tests saw the same results as Matt - see all the tests that show up orange here: https://openqa.fedoraproject.org/tests/overview?distri=fedora&version=29&build=Update-FEDORA-2019-1fb1547321&groupid=2 . They're all orange (which is the kinda 'passed but with warnings' state) because a check for AVCs ran during those tests (it doesn't run in all the tests) and found AVCs. The same AVCs aren't showing up in other update tests, so they are definitely related to this update.
--- Additional comment from Zbigniew Jędrzejewski-Szmek on 2019-02-08 16:58:40 CET ---
C&P from bodhi:
> I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.> What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)
So, this bug should still present in rawhide, but not F29.
selinux maintainers: please allow kill(0, ...) to be done from systemd-journald. This is what systemd-journald started doing in this update, and I assume that this is what 'signull' means.
If possible, I'd also like to have this policy change in F29, if it's not too much work. Otherwise just F30+ is enough.
--- Additional comment from Adam Williamson on 2019-02-08 17:29:50 CET ---
"What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)"
I do, but your recent systemd build (systemd-241~rc2-1.fc30) is not actually in any Rawhide compose yet. The last Rawhide compose was 2019-02-05. So no-one running Rawhide has it unless they got it from Koji manually.
--- Additional comment from Zbigniew Jędrzejewski-Szmek on 2019-02-08 17:56:17 CET ---
Sorry, I'm on PTO and slightly out of the loop. I *should* have tested the update with selinux.
--- Additional comment from Matt Fagnani on 2019-02-09 19:53:30 CET ---
I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.
--- Additional comment from Lukas Vrabec on 2019-02-11 13:20:54 CET ---
--- Additional comment from Lukas Vrabec on 2019-02-11 16:46:20 CET ---
commit 8258bc10ab4591c277398a872364355be7b15cd4 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Mon Feb 11 16:45:12 2019 +0100
Allow syslogd_t domain to send null signal to all domains on system
Resolves: rhbz#1673847
--- Additional comment from Villy Kruse on 2019-02-12 11:31:27 CET ---
Description of problem:
This started after upgrading to systemd-241~rc2-2.fc30.x86_64
Version-Release number of selected component:
selinux-policy-3.14.3-20.fc30.noarch
Additional info:
reporter: libreport-2.10.0
hashmarkername: setroubleshoot
kernel: 5.0.0-0.rc5.git0.1.fc30.x86_64
type: libreport
(In reply to Michal Sekletar from comment #1)
> This bug is related to fix for CVE-2018-16864 and w/o SELinux policy fix the
> CVE is not fixed fully.
To be accurate, CVE is fixed but due to the fix for the flaw in combination with SELinux issue journald can eat more memory than necessary.
I updated RHEL8 system (GNOME desktop) and after logging in I see a bombing of AVC reports in the GS tray (like 20 in a while). This is really annoying. I can set to ignore them but having cleanly installed workstation with a ton of AVCs from the very beginning is just odd. Not sure how this affects journald and service logging.