Description of problem: SELinux is preventing systemd-journal from search access on the directory /var/log/journal/bbe68372db9f4c589a1f67f008e70864. Version-Release number of selected component (if applicable): systemd-238-8.git0e0aa59.fc28.x86_64 selinux-policy-3.14.1-32.fc28.noarch How reproducible: Not sure yet, 1 for 1. Steps to Reproduce: I don't know, this hasn't happened before now. The only change to the system is I just put /var/log on F2FS. I copied old /var/log on Btrfs to new /var/log on F2FS using cp -a. I then mount new /var/log in place, and used restorecon -rv and updated fstab. I've rebooted several times to confirm systemd is mounting /var/log correctly, and only then does it flush the journal from /run to /var. It had been working right up until dnf make cache timer kicked off. Actual results: Many many AVC messages suddenly started appearing in GNOME. And then the whole system hung up completely, it was not recoverable, I had to force power off. Expected results: Something more graceful, not sure. Maybe it's an unsupported configuration. Additional info: SELinux is preventing systemd-journal from search access on the directory /var/log/journal/bbe68372db9f4c589a1f67f008e70864. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/log/journal/bbe68372db9f4c589a1f67f008e70864 default label should be var_log_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/log/journal/bbe68372db9f4c589a1f67f008e70864 ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd-journal should be allowed search access on the bbe68372db9f4c589a1f67f008e70864 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal # semodule -X 300 -i my-systemdjournal.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/log/journal/bbe68372db9f4c589a1f67f008e70864 [ dir ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host f28h.local Source RPM Packages systemd-238-8.git0e0aa59.fc28.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f28h.local Platform Linux f28h.local 4.17.4-200.fc28.x86_64 #1 SMP Tue Jul 3 14:06:39 UTC 2018 x86_64 x86_64 Alert Count 471 First Seen 2018-07-04 21:35:51 MDT Last Seen 2018-07-04 21:35:59 MDT Local ID 95e6df49-de12-4f6e-ac9f-5df04a477a04 Raw Audit Messages type=AVC msg=audit(1530761759.305:2329): avc: denied { search } for pid=485 comm="systemd-journal" name="log" dev="nvme0n1p6" ino=4889201 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1530761759.305:2329): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=56191fc70850 a2=90800 a3=0 items=1 ppid=1 pid=485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) type=CWD msg=audit(1530761759.305:2329): cwd=/ type=PATH msg=audit(1530761759.305:2329): item=0 name=/var/log/journal/bbe68372db9f4c589a1f67f008e70864 nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: systemd-journal,syslogd_t,rpm_var_cache_t,dir,search
This line: >Source Context system_u:system_r:syslogd_t:s0 seems bogus. [chris@f28h ~]$ ls -lZ /var/log/journal/ total 4 drwxr-sr-x+ 2 root systemd-journal system_u:object_r:var_log_t:s0 3488 Jul 4 21:48 bbe68372db9f4c589a1f67f008e70864 [chris@f28h ~]$
Created attachment 1456645 [details] journal [chris@f28h ~]$ sudo journalctl -b-1 -o short-monotonic | grep -v drm > journal-avcjournald.txt There are 21,000+ AVC messages.
I wonder if this is related. It appears a few minutes before the tens of thousands of avc messages. /var/log/sa (which is present contrary the message) has label system_u:object_r:sysstat_log_t:s0 Jul 04 21:30:03 f28h.local systemd[1]: Starting system activity accounting tool... Jul 04 21:30:03 f28h.local sa1[4745]: Cannot open /var/log/sa: No such file or directory Jul 04 21:30:03 f28h.local systemd[1]: sysstat-collect.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Jul 04 21:30:03 f28h.local systemd[1]: sysstat-collect.service: Failed with result 'exit-code'. Jul 04 21:30:03 f28h.local systemd[1]: Failed to start system activity accounting tool. Jul 04 21:30:03 f28h.local audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' But there is no AVC for this failure itself. The directory exists has correct permissions and label, and contents (bunch of files from June).
Bizarre, I haven't changed anything since filing this and now I'm not getting the 'sa1 cannot open /var/log/sa' message, or the systat-collect failure, or any avc's on /var/log/journal/<uuid> I'll keep this open for now but at the moment it's looking like a sunspots bug.
Are you able to reproduce it? Thanks, Lukas.
Nope. It hasn't happened again, systemd-journald on f2fs /var/log has been stable since. I'll assume some kind of user or transient error following the initial switch.