Bug 2305270
| Summary: | SELinux is preventing systemd-journal from using the 'signull' accesses on a process. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> | ||||||
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||||
| Status: | POST --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | acaringi, adscvr, airlied, alciregi, awilliam, bgoncalv, bskeggs, daan.j.demeyer, dan, dwalsh, fedoraproject, hdegoede, hpa, josef, kernel-maint, linville, lnykryn, lvrabec, masami256, mchehab, mikhail.v.gavrilov, mmalik, msekleta, omosnacek, pkoncity, ptalbert, ryncsn, santiago, steved, suraj.ghimire7, systemd-maint, vmojzis, yuwatana, zbyszek, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:3cb8e432fee6fd2cb6a36cc4d193766b83866acd938a33f03493b6aff5bd974b;VARIANT_ID=workstation; | ||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | Type: | --- | |||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 2305940 | ||||||||
| Attachments: |
|
||||||||
Created attachment 2044277 [details]
File: description
Created attachment 2044278 [details]
File: os_info
*** Bug 2305271 has been marked as a duplicate of this bug. *** *** Bug 2305273 has been marked as a duplicate of this bug. *** (copying my explanation from https://issues.redhat.com/browse/RHEL-54549:) So the git bisect identified the following commit as the culprit: commit 3b5bbe798b2451820e74243b738268f51901e7d0 Author: Christian Brauner <brauner> Date: Wed Jul 31 12:01:12 2024 +0200 pidfd: prevent creation of pidfds for kthreads It's currently possible to create pidfds for kthreads but it is unclear what that is supposed to mean. Until we have use-cases for it and we figured out what behavior we want block the creation of pidfds for kthreads. Link: https://lore.kernel.org/r/20240731-gleis-mehreinnahmen-6bbadd128383@brauner Fixes: 32fcb426ec00 ("pid: add pidfd_open()") Cc: stable.org Signed-off-by: Christian Brauner <brauner> It seems that this change prevents systemd from doing a "killall" operation (src/shared/killall.c), because it tries to get a pidfd for all running tasks including kernel threads, which the kernel now rejects with -EINVAL. Systemd even has a fallback in pidref_set_pid() for when pidfd_open(2) fails, but it only ignores certain types of error codes that don't include EINVAL. I think that this failure then results in systemd-journald not being restarted during switch-root, so it remains running with the kernel_t label, leading to denials later on. I'm not sure if it's systemd or the kernel at fault here, but switching to systemd in the hope that they can argue it out with the kernel upstream or find a way around it... So it turns out the bad commit is going to be reverted in the kernel: https://lore.kernel.org/all/20240819-staudamm-rederei-cb7092f54e76@brauner/ https://github.com/systemd/systemd/pull/34058 *** Bug 2306818 has been marked as a duplicate of this bug. *** Thanks for figuring this out! I should've remembered the QA Golden Rule: always try it with SELinux turned off... |
Description of problem: SELinux is preventing systemd-journal from using the 'signull' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-journal should be allowed signull access on processes labeled systemd_logind_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal # semodule -X 300 -i my-systemdjournal.pp Additional Information: Source Context system_u:system_r:kernel_t:s0 Target Context system_u:system_r:systemd_logind_t:s0 Target Objects Unknown [ process ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-41.14-1.fc41.noarch Local Policy RPM selinux-policy-targeted-41.14-1.fc41.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.11.0- 0.rc3.20240815git1fb918967b56.33.fc42.x86_64+debug #1 SMP PREEMPT_DYNAMIC Thu Aug 15 18:43:26 UTC 2024 x86_64 Alert Count 12 First Seen 2024-08-16 10:21:44 +05 Last Seen 2024-08-16 10:46:08 +05 Local ID 3d6d710c-cc05-4673-ab35-71dc9dcdb01e Raw Audit Messages type=AVC msg=audit(1723787168.269:420): avc: denied { signull } for pid=523 comm="systemd-journal" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process permissive=1 Hash: systemd-journal,kernel_t,systemd_logind_t,process,signull Version-Release number of selected component: selinux-policy-targeted-41.14-1.fc41.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing systemd-journal from using the 'signull' accesses on a process. package: selinux-policy-targeted-41.14-1.fc41.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.11.0-0.rc3.20240815git1fb918967b56.33.fc42.x86_64+debug component: selinux-policy