Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1336742 - Service systemd-journald fails to start due to AVC denial on /etc/machine-id read
Summary: Service systemd-journald fails to start due to AVC denial on /etc/machine-id ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.5.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.6.0
Assignee: Šimon Lukašík
QA Contact: luke couzens
URL:
Whiteboard: appliance
Depends On:
Blocks: 1341242
TreeView+ depends on / blocked
 
Reported: 2016-05-17 11:40 UTC by Jan Krocil
Modified: 2016-06-29 16:02 UTC (History)
9 users (show)

Fixed In Version: 5.6.0.8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1341242 (view as bug list)
Environment:
Last Closed: 2016-06-29 16:02:54 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
jkrocil: automate_bug+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1348 0 normal SHIPPED_LIVE CFME 5.6.0 bug fixes and enhancement update 2016-06-29 18:50:04 UTC

Description Jan Krocil 2016-05-17 11:40:13 UTC
Description of problem:
SSIA

Version-Release number of selected component (if applicable):
5.5.4.0
5.6.0.6-beta2.5

How reproducible:
Always

Steps to Reproduce:
1. Start a fresh appliance
2. # systemctl status systemd-journald

Actual results:
systemd-journald is not running

Expected results:
systemd-journald is running out of the box

Additional info:

dmesg:
======
[   13.331781] type=1400 audit(1463408382.377:4): avc:  denied  { read } for  pid=503 comm="systemd-journal" name="machine-id" dev="dm-0" ino=9948640 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Workaround:
===========
# restorecon /etc/machine-id
# systemctl start systemd-journald

Comment 2 Nick Carboni 2016-05-19 13:54:20 UTC
I can't reproduce this on a 5.6.0.6-beta2.5 deploy.

What appliance build was this? VMWare? RHEV?

I deployed the VMWare appliance on Workstation and systemd-journald is up and running fine.

Comment 4 Šimon Lukašík 2016-05-19 16:34:18 UTC
The problem is that we have /etc/machine-id with unlabeled_t selinux label on the image (looking into rhos version, haven't unpacked vmware).

Comment 5 Šimon Lukašík 2016-05-20 09:03:05 UTC
The unlabeled_t means that we have re-created the /etc/machine-id during the build and we did not have the guest policy loaded during that operation. Do we keep appliance build logs somewhere?

Also, the bug 1308997 is worth reading.

Comment 6 Šimon Lukašík 2016-05-20 11:51:11 UTC
There are more unlabeled_t files:

  # find / -context *:unlabeled_t:*
  /etc/machine-id
  /var/account/pacct
  /mnt
  /mnt/lost+found

Because of this, logrorate fails to service psacct on the appliance.

   avc:  denied  { getattr } for  pid=1967 comm="logrotate"
   path="/var/account/pacct" dev="dm-8" ino=113078
   scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Comment 9 Satoe Imaishi 2016-05-25 15:30:15 UTC
libguestfs package has been updated on the build machine, it now has the version mentioned above.

Comment 16 errata-xmlrpc 2016-06-29 16:02:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1348


Note You need to log in before you can comment on or make changes to this bug.