Bug 2124797

Summary: selinux context is not set for journald LogNamespace directories /run/systemd/journal.<lognamespace>/ by default
Product: Red Hat Enterprise Linux 9 Reporter: Ameya Patil <amepatil>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: Triaged
Target Release: 9.2Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.6-1.el9 Doc Type: Bug Fix
Doc Text:
Cause: Systemd-journald introduced feature `LogNamespace` to isolate certain logs. Consequence: LogNamespaces were created with wrong SELinux context init_var_run_t, instead of syslogd_var_run_t and devlog_t. Fix: Label systemd-journald feature LogNamespace Result: LogNamespaces are created with correct SELinux context
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:16:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ameya Patil 2022-09-07 06:51:25 UTC 
Description of problem:


The `systemd-journald` namespace has a feature `LogNamespace` to isolate certain logs.

   Documentation - https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html#Journal%20Namespaces

These names space are created from a template service `systemd-journald@.service` , For example to activate a LogNamespace `testcase` we use.
   `# systemctl start systemd-journald`

And the logs are visible for this if `LogNamespace` parameter is defined in the service unit files for logging to this namespace.
Later we can view the logs with  `journalclt -b --namespace testcase`

Once of our customer reported that, when we create a new namespace for `systemd-journald` process, we see error for setroubleshootd.
    ~~~
    Sep 01 06:04:38 localhost.localdomain setroubleshoot[1198]: SELinux is preventing /usr/lib/systemd/systemd-journald from create access on the file labeled init_var_run_t.
    Sep 01 06:04:38 localhost.localdomain setroubleshoot[1198]: SELinux is preventing /usr/lib/systemd/systemd-journald from remove_name access on the directory labeled init_var_run_t. For complete SELinux messages run: sealert -l 8ddfa1d5-7659-4274-86a4-f73e3d9001ae
    Sep 01 06:04:38 localhost.localdomain setroubleshoot[1198]: SELinux is preventing /usr/lib/systemd/systemd-journald from remove_name access on the directory labeled init_var_run_t.
    Sep 01 06:31:57 localhost.localdomain setroubleshoot[1199]: SELinux is preventing /usr/lib/systemd/systemd-journald from write access on the directory labeled init_var_run_t. For complete SELinux messages run: sealert -l b503011d-d224-4412-a8cc-a138920ee578
    ~~~



 To start the a systemd-journald LogNamespace named `testcase` we just use the below command.

  `# systemctl start systemd-journald`

 And we see that the issue , is that with the selinux context of the files in the `/run/systemd/journal.<namespace>/`
    ~~~
    # ls -laZ /run/systemd/journal.testcase/
    total 0
    drwxr-xr-x.  2 root systemd-journal system_u:object_r:init_var_run_t:s0 120 Aug 16 16:27 .
    drwxr-xr-x. 22 root root            system_u:object_r:init_var_run_t:s0 540 Aug 16 16:37 ..
    srw-rw-rw-.  1 root root            system_u:object_r:init_var_run_t:s0   0 Aug 16 16:27 dev-log
    srw-------.  1 root root            system_u:object_r:init_var_run_t:s0   0 Aug 16 16:27 io.systemd.journal
    srw-rw-rw-.  1 root root            system_u:object_r:init_var_run_t:s0   0 Aug 16 16:27 socket
    srw-rw-rw-.  1 root root            system_u:object_r:init_var_run_t:s0   0 Aug 16 16:27 stdout
    ~~~

  While the default selinux contexts on the default journal are
    ~~~
    # ls -laZ /run/systemd/journal/
    total 4
    drwxr-xr-x.  3 root root system_u:object_r:syslogd_var_run_t:s0 160 Aug  3 09:44 .
    drwxr-xr-x. 22 root root system_u:object_r:init_var_run_t:s0    540 Aug 16 16:37 ..
    srw-rw-rw-.  1 root root system_u:object_r:devlog_t:s0            0 Aug  3 09:44 dev-log
    srw-------.  1 root root system_u:object_r:syslogd_var_run_t:s0   0 Aug  3 09:44 io.systemd.journal
    -rw-r--r--.  1 root root system_u:object_r:syslogd_var_run_t:s0   8 Aug  3 09:44 kernel-seqnum
    srw-rw-rw-.  1 root root system_u:object_r:syslogd_var_run_t:s0   0 Aug  3 09:44 socket
    srw-rw-rw-.  1 root root system_u:object_r:syslogd_var_run_t:s0   0 Aug  3 09:44 stdout
    drwxr-xr-x.  2 root root system_u:object_r:syslogd_var_run_t:s0 340 Aug 16 16:37 streams
    ~~~

Just creating the namespace and logging to it using any service, like for example `sshd` causes these error related to SELinux.
  Audit messages from my system:
    ~~~
    ----
    type=PROCTITLE msg=audit(08/22/2022 08:06:57.231:34) : proctitle=/usr/lib/systemd/systemd-journald testcase 
    type=PATH msg=audit(08/22/2022 08:06:57.231:34) : item=1 name=(null) inode=927 dev=00:19 mode=dir,755 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=PATH msg=audit(08/22/2022 08:06:57.231:34) : item=0 name=(null) inode=682 dev=00:19 mode=dir,755 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=CWD msg=audit(08/22/2022 08:06:57.231:34) : cwd=/ 
    type=SYSCALL msg=audit(08/22/2022 08:06:57.231:34) : arch=x86_64 syscall=mkdirat success=yes exit=0 a0=AT_FDCWD a1=0x7fff6925f060 a2=0755 a3=0x100 items=2 ppid=1 pid=703 auid=unset uid=root gid=systemd-journal euid=root suid=root fsuid=root egid=systemd-journal sgid=systemd-journal fsgid=systemd-journal tty=(none) ses=unset comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) 
    type=AVC msg=audit(08/22/2022 08:06:57.231:34) : avc:  denied  { create } for  pid=703 comm=systemd-journal name=streams scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 
    type=AVC msg=audit(08/22/2022 08:06:57.231:34) : avc:  denied  { add_name } for  pid=703 comm=systemd-journal name=streams scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 
    type=AVC msg=audit(08/22/2022 08:06:57.231:34) : avc:  denied  { write } for  pid=703 comm=systemd-journal name=journal.testcase dev="tmpfs" ino=682 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 
    ----
    type=PROCTITLE msg=audit(08/22/2022 08:06:57.231:35) : proctitle=/usr/lib/systemd/systemd-journald testcase 
    type=PATH msg=audit(08/22/2022 08:06:57.231:35) : item=3 name=(null) inode=928 dev=00:19 mode=file,600 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=PATH msg=audit(08/22/2022 08:06:57.231:35) : item=2 name=(null) inode=927 dev=00:19 mode=dir,755 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=PATH msg=audit(08/22/2022 08:06:57.231:35) : item=1 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=PATH msg=audit(08/22/2022 08:06:57.231:35) : item=0 name=(null) inode=927 dev=00:19 mode=dir,755 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=CWD msg=audit(08/22/2022 08:06:57.231:35) : cwd=/ 
    type=SYSCALL msg=audit(08/22/2022 08:06:57.231:35) : arch=x86_64 syscall=openat success=yes exit=17 a0=AT_FDCWD a1=0x555f7bc52840 a2=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a3=0x180 items=4 ppid=1 pid=703 auid=unset uid=root gid=systemd-journal euid=root suid=root fsuid=root egid=systemd-journal sgid=systemd-journal fsgid=systemd-journal tty=(none) ses=unset comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) 
    type=AVC msg=audit(08/22/2022 08:06:57.231:35) : avc:  denied  { write } for  pid=703 comm=systemd-journal path=/run/systemd/journal.testcase/streams/.#8:18527sS0Own dev="tmpfs" ino=928 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
    type=AVC msg=audit(08/22/2022 08:06:57.231:35) : avc:  denied  { create } for  pid=703 comm=systemd-journal name=.#8:18527sS0Own scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
    ----
    type=PROCTITLE msg=audit(08/22/2022 08:06:57.232:36) : proctitle=/usr/lib/systemd/systemd-journald testcase 
    type=PATH msg=audit(08/22/2022 08:06:57.232:36) : item=1 name=(null) inode=928 dev=00:19 mode=file,600 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=PATH msg=audit(08/22/2022 08:06:57.232:36) : item=0 name=(null) inode=927 dev=00:19 mode=dir,755 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
    type=CWD msg=audit(08/22/2022 08:06:57.232:36) : cwd=/ 
    type=SYSCALL msg=audit(08/22/2022 08:06:57.232:36) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x555f7bc52840 a1=0x555f7bc4c080 a2=0x7dd6d64 a3=0x7f9626e473e0 items=2 ppid=1 pid=703 auid=unset uid=root gid=systemd-journal euid=root suid=root fsuid=root egid=systemd-journal sgid=systemd-journal fsgid=systemd-journal tty=(none) ses=unset comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) 
    type=AVC msg=audit(08/22/2022 08:06:57.232:36) : avc:  denied  { rename } for  pid=703 comm=systemd-journal name=.#8:18527sS0Own dev="tmpfs" ino=928 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1 
    type=AVC msg=audit(08/22/2022 08:06:57.232:36) : avc:  denied  { remove_name } for  pid=703 comm=systemd-journal name=.#8:18527sS0Own dev="tmpfs" ino=928 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 
    ~~~


By default , only the following SELinux context rule are available and the other files hence don't get correct context as they take the context of parent directory `/var/run/systemd/` and `init_var_run_t` is set.
    ~~~
    # semanage fcontext -l | grep /var/run/systemd/journal
    /var/run/systemd/journal(/.*)?                     all files          system_u:object_r:syslogd_var_run_t:s0 
    /var/run/systemd/journal/dev-log                   socket             system_u:object_r:devlog_t:s0 
    /var/run/systemd/journal/syslog                    socket             system_u:object_r:devlog_t:s0 
    ~~~

In my testing , adding equivalency context such as below did not work, as running restore con or rebooting the system , I still see the wrong context added to the files in `/var/run/systemd/journal.testcase/`

   `semanage fcontext -a -e /var/run/systemd/journal /var/run/systemd/journal.testcase`

   After discussing with @rmetrich , it looks like this BZ https://bugzilla.redhat.com/show_bug.cgi?id=1968163 for Fedora

  In fact , after the system is booted and we use `systemctl start systemd-journald@testcase` to initiate new namespace `testcase` , it will get the wrong context like we saw earlier , however rebooting the system in such state , when the system boots up this time both the `/var/run/systemd/journal/` and `/var/run/systemd/journal.testcase/` get wrong context of `init_var_run_t`.

  Since the namespace can be any name as it started from the template service. The only way I found that it works to set the context is by adding dedicated selinux rules as per below and rebooted.
  
    ~~~
    /var/run/systemd/journal\.[^/]+(/.*)?              all files          system_u:object_r:syslogd_var_run_t:s0 
    /var/run/systemd/journal\.[^/]+/dev-log            socket             system_u:object_r:devlog_t:s0 
    /var/run/systemd/journal\.[^/]+/syslog             socket             system_u:object_r:devlog_t:s0 
    ~~~


How reproducible:
Everytime


Version-Release number of selected component (if applicable):

selinux-policy-34.1.29-1.el9_0.noarch
selinux-policy-targeted-34.1.29-1.el9_0.noarch
systemd-250-6.el9_0.x86_64


Steps to reproduce

1. Start new namespace called testcase.

   systemctl start systemd-journald@testcase

2. Verify that the context of the file created for  `/run/systemd/journal.testcase`is `init_var_run_t` i.e. it does not match `/run/systemd/journal`

   # ls -lZ /run/systemd/journal*


3.  Setup sshd to add `LogNamespace=testcase` in the `[Service]` section.

   # systemctl edit --full sshd

      Add `LogNamespace=testcase` in the `[Service]` section.

   # systemctl daemon-reload
   # systemctl restart sshd
   # systemctl status sshd

4. Now search for AVC and you will see these for systemd-journald when it tries to access/ files in `/run/systemd/journal.testcase`

    # ausearch -m AVC,USER_AVC -i -ts boot 



Actual results:

Creating new journald LogNamespace does not set correct context on the Files in `/run/systemd/journal.<name_of_LogNamespace>`


Expected results:

Creating new journald LogNamespace should set up appropriate context anytime a new LogNamespace is created.


Additional info:

I tested and did not found Namespace to be available in RHEL 8.6 systemd.
I am unsure what version this feature was introduces but it present in RHEL 9
Comment 1 Milos Malik 2022-10-11 14:12:31 UTC 
# ls -lZ /run/systemd/journal*
/run/systemd/journal:
total 4
srw-rw-rw-. 1 root root system_u:object_r:devlog_t:s0            0 Oct 11 09:53 dev-log
srw-------. 1 root root system_u:object_r:syslogd_var_run_t:s0   0 Oct 11 09:53 io.systemd.journal
-rw-r--r--. 1 root root system_u:object_r:syslogd_var_run_t:s0   8 Oct 11 09:53 kernel-seqnum
srw-rw-rw-. 1 root root system_u:object_r:syslogd_var_run_t:s0   0 Oct 11 09:53 socket
srw-rw-rw-. 1 root root system_u:object_r:syslogd_var_run_t:s0   0 Oct 11 09:53 stdout
drwxr-xr-x. 2 root root system_u:object_r:syslogd_var_run_t:s0 280 Oct 11 10:09 streams

/run/systemd/journal.testcase:
total 0
srw-rw-rw-. 1 root systemd-journal system_u:object_r:init_var_run_t:s0 0 Oct 11 10:07 dev-log
srw-------. 1 root systemd-journal system_u:object_r:init_var_run_t:s0 0 Oct 11 10:07 io.systemd.journal
srw-rw-rw-. 1 root systemd-journal system_u:object_r:init_var_run_t:s0 0 Oct 11 10:07 socket
srw-rw-rw-. 1 root systemd-journal system_u:object_r:init_var_run_t:s0 0 Oct 11 10:07 stdout
#
Comment 12 errata-xmlrpc 2023-05-09 08:16:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483