After upgrading to logwatch-7.4.3-3.fc25.noarch with support for parsing journald logs, the following AVCs are generated, effectively disabling the recent addition of journald support to logwatch. See bug #864872. AVC avc: denied { execute } for pid=19919 comm="perl" name="journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { execute } for pid=19919 comm="perl" name="journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { read open } for pid=31910 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { read open } for pid=31910 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { execute_no_trans } for pid=10444 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { execute_no_trans } for pid=10444 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { execute_no_trans } for pid=27384 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { execute_no_trans } for pid=27384 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0 AVC avc: denied { execute_no_trans } for pid=19018 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787808 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 AVC avc: denied { sys_resource } for pid=19018 comm="journalctl" capability=24 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability permissive=1 AVC avc: denied { setrlimit } for pid=19018 comm="journalctl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process permissive=1 AVC avc: denied { execute_no_trans } for pid=22896 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787808 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 AVC avc: denied { sys_resource } for pid=22896 comm="journalctl" capability=24 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability permissive=1 AVC avc: denied { setrlimit } for pid=22896 comm="journalctl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process permissive=1 AVC avc: denied { execute_no_trans } for pid=23638 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787808 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 AVC avc: denied { sys_resource } for pid=23638 comm="journalctl" capability=24 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability permissive=1 AVC avc: denied { setrlimit } for pid=23638 comm="journalctl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process permissive=1
The same errors with Fedora 26 except "setrlimit" denial. Seems "sys_resource" denial does not prevent to run joutnalctl and get results. The local policy to resolve the denials is attached.
Created attachment 1275144 [details] Logwath selinux policy for journalctl
Created attachment 1275268 [details] Logwath selinux policy for journalctl Well, I also have setrlimit denial. Here it is the updated policy.
In F27, journalctl in the logwatch_t context needs map access to journalctl_exec_t and var_log_t AVC avc: denied { map } for pid=14565 comm="journalctl" path="/usr/bin/journalctl" dev="md1" ino=57788544 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 AVC avc: denied { map } for pid=14565 comm="journalctl" path="/var/log/journal/d23491c98ce8481cb7262477c211ea9f/user-1136600007" dev="md1" ino=109004652 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.