Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.13.1-191.19.fc24.noarch How reproducible: always Steps to Reproduce: 1. Remove the /run/systemd/journal/dev-log 2. Restart system-journald 3. Or play with the systemd-journald-dev-log.socket (turn off and on) Actual results: Socket is not created and logging does not work. Expected results: The socket should be created and logging working Additional info: # ausearch -m AVC # audit2allow ---- time->Wed Nov 9 08:46:21 2016 type=AVC msg=audit(1478699181.421:76704): avc: denied { create } for pid=1 comm="systemd" name="dev-log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0 ---- time->Wed Nov 9 08:46:22 2016 type=AVC msg=audit(1478699182.100:76708): avc: denied { create } for pid=1 comm="systemd" name="dev-log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0 #============= init_t ============== allow init_t devlog_t:sock_file create; --------- The logging socket dev-log can be created by systemd in socket activation (in the ListenDatagram option in the socket above), so this systemd should be able to create it.
This is a problem in all other Fedoras and most probably in RHEL7 too (needs investigation)
Probably related to the other issue I can see in the logs about the unlink when calling # systemctl restart systemd-journald systemd-journald-dev-log.socket results in # audit2allow ---- time->Wed Nov 9 06:46:09 2016 type=AVC msg=audit(1478691969.589:23727): avc: denied { unlink } for pid=1 comm="systemd" name="dev-log" dev="tmpfs" ino=10903 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0 #============= init_t ============== allow init_t devlog_t:sock_file unlink; Please, add also this one.
commit 30029d61dd8fec49ecdea8374b719ec4de709612 Author: Lukas Vrabec <lvrabec> Date: Wed Nov 30 13:04:26 2016 +0100 Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 31be8ac..0690edf 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -614,6 +614,7 @@ interface(`logging_create_devlog_dev',` ') allow $1 devlog_t:lnk_file manage_lnk_file_perms; + allow $1 devlog_t:sock_file manage_sock_file_perms; dev_filetrans($1, devlog_t, lnk_file, "log") init_pid_filetrans($1, devlog_t, sock_file, "syslog") logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
selinux-policy-3.13.1-191.23.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33
selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33
selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.