Bug 1336742 - Service systemd-journald fails to start due to AVC denial on /etc/machine-id read
Summary: Service systemd-journald fails to start due to AVC denial on /etc/machine-id ...
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.6.0
Assignee: Šimon Lukašík
QA Contact: luke couzens
Whiteboard: appliance
Depends On:
Blocks: 1341242
TreeView+ depends on / blocked
Reported: 2016-05-17 11:40 UTC by Jan Krocil
Modified: 2016-06-29 16:02 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1341242 (view as bug list)
Last Closed: 2016-06-29 16:02:54 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
jkrocil: automate_bug+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1348 0 normal SHIPPED_LIVE CFME 5.6.0 bug fixes and enhancement update 2016-06-29 18:50:04 UTC

Description Jan Krocil 2016-05-17 11:40:13 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start a fresh appliance
2. # systemctl status systemd-journald

Actual results:
systemd-journald is not running

Expected results:
systemd-journald is running out of the box

Additional info:

[   13.331781] type=1400 audit(1463408382.377:4): avc:  denied  { read } for  pid=503 comm="systemd-journal" name="machine-id" dev="dm-0" ino=9948640 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

# restorecon /etc/machine-id
# systemctl start systemd-journald

Comment 2 Nick Carboni 2016-05-19 13:54:20 UTC
I can't reproduce this on a deploy.

What appliance build was this? VMWare? RHEV?

I deployed the VMWare appliance on Workstation and systemd-journald is up and running fine.

Comment 4 Šimon Lukašík 2016-05-19 16:34:18 UTC
The problem is that we have /etc/machine-id with unlabeled_t selinux label on the image (looking into rhos version, haven't unpacked vmware).

Comment 5 Šimon Lukašík 2016-05-20 09:03:05 UTC
The unlabeled_t means that we have re-created the /etc/machine-id during the build and we did not have the guest policy loaded during that operation. Do we keep appliance build logs somewhere?

Also, the bug 1308997 is worth reading.

Comment 6 Šimon Lukašík 2016-05-20 11:51:11 UTC
There are more unlabeled_t files:

  # find / -context *:unlabeled_t:*

Because of this, logrorate fails to service psacct on the appliance.

   avc:  denied  { getattr } for  pid=1967 comm="logrotate"
   path="/var/account/pacct" dev="dm-8" ino=113078
   tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Comment 9 Satoe Imaishi 2016-05-25 15:30:15 UTC
libguestfs package has been updated on the build machine, it now has the version mentioned above.

Comment 16 errata-xmlrpc 2016-06-29 16:02:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.