1481356 – selinux prevents systemd-journald services from running

Bug 1481356 - selinux prevents systemd-journald services from running

Summary: selinux prevents systemd-journald services from running

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1481454
TreeView+	depends on / blocked

Reported:	2017-08-14 17:32 UTC by Paul Whalen
Modified:	2017-09-06 16:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-09-06 16:18:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Whalen 2017-08-14 17:32:52 UTC

Description of problem:
selinux prevents systemd-journald services from running


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-270.fc27.noarch

How reproducible:
everytime

Steps to Reproduce:
1. Install using compose Fedora-Rawhide-20170811.n.2
2. Reboot system, run systemctl --all --failed

FAILED SERVICES:
  UNIT                            LOAD   ACTIVE SUB    DESCRIPTION              
● systemd-journald.service        loaded failed failed Journal Service          
● systemd-journald-audit.socket   loaded failed failed Journal Audit Socket     
● systemd-journald-dev-log.socket loaded failed failed Journal Socket (/dev/log)
● systemd-journald.socket         loaded failed failed Journal Socket           

[root@bpi ~]# systemctl start systemd-journald
[  197.384113] systemd-journald[970]: Failed to map sequential number file, ignoring: Permission denied
[  197.400993] systemd-journald[970]: Failed to open runtime journal: Permission denied
Job for systemd-journald.service failed because the control process exited with error code.
See "systemctl  status systemd-journald.service" and "journalctl  -xe" for details.
[root@bpi ~]# [  197.635997] systemd-journald[971]: Failed to map sequential number file, ignoring: Permission denied
[  197.650804] systemd-journald[971]: Failed to open runtime journal: Permission denied
[  197.846337] systemd-journald[972]: Failed to map sequential number file, ignoring: Permission denied
[  197.864907] systemd-journald[972]: Failed to open runtime journal: Permission denied
[  198.077638] systemd-journald[973]: Failed to map sequential number file, ignoring: Permission denied
[  198.092724] systemd-journald[973]: Failed to open runtime journal: Permission denied
[  198.297908] systemd-journald[974]: Failed to map sequential number file, ignoring: Permission denied
[  198.313391] systemd-journald[974]: Failed to open runtime journal: Permission denied

ausearch -m avc -ts recent
----
time->Mon Aug 14 13:25:45 2017
type=AVC msg=audit(1502731545.199:626): avc:  denied  { map } for  pid=1009 comm="plymouthd" path="/etc/ld.so.cache" dev="dm-0" ino=8949486 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permis0
----
time->Mon Aug 14 13:29:12 2017
type=AVC msg=audit(1502731752.182:587): avc:  denied  { map } for  pid=941 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 13:29:13 2017
type=AVC msg=audit(1502731753.973:588): avc:  denied  { map } for  pid=942 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 13:29:14 2017
type=AVC msg=audit(1502731754.364:590): avc:  denied  { map } for  pid=943 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 13:29:15 2017
type=AVC msg=audit(1502731755.608:595): avc:  denied  { map } for  pid=945 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissi0
----
time->Mon Aug 14 13:29:32 2017
type=AVC msg=audit(1502731772.856:604): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.023:605): avc:  denied  { map } for  pid=970 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.040:606): avc:  denied  { map } for  pid=970 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.122:610): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.275:611): avc:  denied  { map } for  pid=971 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.290:612): avc:  denied  { map } for  pid=971 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.351:616): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.486:617): avc:  denied  { map } for  pid=972 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.503:618): avc:  denied  { map } for  pid=972 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.568:622): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.717:623): avc:  denied  { map } for  pid=973 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.732:624): avc:  denied  { map } for  pid=973 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.793:628): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.937:629): avc:  denied  { map } for  pid=974 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.953:630): avc:  denied  { map } for  pid=974 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0


When selinux is in permissive, systemd-journald starts as expected.

[root@bpi ~]# setenforce 0
[root@bpi ~]# systemctl start systemd-journald
[root@bpi ~]# systemctl status systemd-journald
��● systemd-journald.service - Journal Service
   Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; ven
   Active: active (running) since Mon 2017-08-14 13:31:28 EDT; 13s ago
     Docs: man:systemd-journald.service(8)
           man:journald.conf(5)
 Main PID: 979 (systemd-journal)
   Status: "Processing requests..."
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/systemd-journald.service
           ��└��─979 /usr/lib/systemd/systemd-journald

Aug 14 13:31:28 bpi.friendly-neighbours.com systemd-journald[979]: Journal start
Aug 14 13:31:28 bpi.friendly-neighbours.com systemd-journald[979]: Runtime journ

Comment 1 Jan Kurik 2017-08-15 08:56:09 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 2 Adam Williamson 2017-08-15 15:15:30 UTC

This is probably a dupe of one of the specific denials, likely the systemd-journal denial for its own log file.

Comment 3 Paul Whalen 2017-08-15 16:03:55 UTC

The log file is one of them, also 

----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.937:629): avc:  denied  { map } for  pid=974 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----

Comment 4 Adam Williamson 2017-08-15 16:19:57 UTC

yeah, what I meant was I'm not so clear if that would prevent it running entirely. Still, definitely file that one on its own if it isn't filed yet.

Comment 5 Lukas Vrabec 2017-09-05 07:44:20 UTC

This looks fixed with the latest selinux-policy build. Could somebody try it? 

Thanks,
Lukas.

Comment 6 Adam Williamson 2017-09-05 15:56:33 UTC

journal is working for me in f27 lately, but let's let Paul confirm for his case.

Comment 7 Paul Whalen 2017-09-06 15:38:18 UTC

journal is working fine now, many thanks.

Comment 8 Adam Williamson 2017-09-06 16:18:20 UTC

I think this can be closed, as the relevant fixes are in stable.

Note You need to log in before you can comment on or make changes to this bug.