Red Hat Bugzilla – Bug 1397744
SELinux is preventing /usr/bin/systemctl from 'write' accesses on the chr_file kmsg.
Last modified: 2018-04-10 08:26:24 EDT
+++ This bug was initially created as a clone of Bug #1295508 +++ SELinux is preventing /usr/bin/systemctl from write access on the chr_file kmsg. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemctl should be allowed write access on the kmsg chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl # semodule -i my-systemctl.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:kmsg_device_t:s0 Target Objects kmsg [ chr_file ] Source systemctl Source Path /usr/bin/systemctl Port <Unknown> Host satellite2.point.local Source RPM Packages systemd-219-30.el7_3.6.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name satellite2.point.local Platform Linux satellite2.point.local 3.10.0-514.el7.x86_64 #1 SMP Wed Oct 19 11:24:13 EDT 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-11-09 03:45:06 EET Last Seen 2016-11-21 03:21:04 EET Local ID a020456c-e7f8-4db6-9c99-bb3aacf7811e Raw Audit Messages type=AVC msg=audit(1479691264.861:26091): avc: denied { write } for pid=22935 comm="systemctl" name="kmsg" dev="devtmpfs" ino=1034 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1479691264.861:26091): arch=x86_64 syscall=open success=no exit=EACCES a0=7f5bfde8117f a1=80101 a2=ffffffff a3=7f5bfceda7b8 items=0 ppid=22934 pid=22935 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3671 comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: systemctl,logrotate_t,kmsg_device_t,chr_file,write
Additional info : [root@supreet sosreport-MarkoMki.01744697-20161122110509]# grep selinux installed-rpms candlepin-selinux-0.9.49.16-1.el7.noarch Mon Nov 7 11:56:04 2016 foreman-selinux-1.7.2.16-1.el7sat.noarch Mon Nov 23 15:27:14 2015 libselinux-2.5-6.el7.x86_64 Mon Nov 7 11:54:53 2016 libselinux-python-2.5-6.el7.x86_64 Mon Nov 7 11:55:14 2016 libselinux-ruby-2.5-6.el7.x86_64 Mon Nov 7 11:58:45 2016 libselinux-utils-2.5-6.el7.x86_64 Mon Nov 7 11:55:51 2016 pulp-selinux-2.6.0.21-1.el7sat.noarch Tue Aug 2 13:32:30 2016 selinux-policy-3.13.1-102.el7_3.4.noarch Mon Nov 7 11:55:52 2016 selinux-policy-targeted-3.13.1-102.el7_3.4.noarch Mon Nov 7 11:56:35 2016 [root@supreet sosreport-MarkoMki.01744697-20161122110509]#
Looks like a logrotate script is executing a kmesg command. Not sure why it is doing this rather then write to syslog. Allowing this is probably ok, but I am not sure if there is any potential problems allowing processes to write to /dev/kmsg.
Please provide the output of following command: # grep kmsg /proc/cmdline I already saw similar AVCs on machines where following parameters were given to the kernel at boot time: systemd.debug systemd.log_level=debug systemd.log_target=kmsg
Hello Milos, Please find the below requested information from sosreport : [root@supreet sosreport-MarkoMki.01744697-20161122110509]# grep kmsg proc/cmdline BOOT_IMAGE=/vmlinuz-3.10.0-514.el7.x86_64 root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root rhgb quiet LANG=en_GB.UTF-8 systemd.debug systemd.log_level=debug systemd.log_target=kmsg
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763