RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1676923 - SELinux is preventing /usr/lib/systemd/systemd-journald from using the 'signull' accesses on a process.
Summary: SELinux is preventing /usr/lib/systemd/systemd-journald from using the 'signu...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: 8.0
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:ce08e5073f70ac9b65a5171d531...
: 1679468 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-13 15:48 UTC by Michal Sekletar
Modified: 2019-06-14 02:05 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.14.1-61.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1673847
Environment:
Last Closed: 2019-06-14 02:05:05 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Michal Sekletar 2019-02-13 15:48:40 UTC 
We have the code which caused the denial also in RHEL so the fix should be backported to RHEL-8 version of the policy.

+++ This bug was initially created as a clone of Bug #1673847 +++

Description of problem:
I upgraded to systemd-239-10.git4dc7dce.fc29 from koji. The next time I started my system after the systemd update, I saw a large number of denials of systemd-journald sending signull to processes with about 14 different labels as shown in the setroubleshooter. 20 denials of signull on auditd_t appear to have been the most frequent by label. The denials continued after I logged into Plasma and was using it. I'll attach the audit log with the denials.

SELinux is preventing /usr/lib/systemd/systemd-journald from using the 'signull' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-journald should be allowed signull access on processes labeled auditd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
# semodule -X 300 -i my-systemdjournal.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:system_r:auditd_t:s0
Target Objects                Unknown [ process ]
Source                        systemd-journal
Source Path                   /usr/lib/systemd/systemd-journald
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-239-10.git4dc7dce.fc29.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-48.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.20.7-200.fc29.i686 #1 SMP Wed
                              Feb 6 19:19:30 UTC 2019 i686 i686
Alert Count                   20
First Seen                    2019-02-08 04:19:05 EST
Last Seen                     2019-02-08 04:47:56 EST
Local ID                      b5ca00c0-668d-4639-9346-9ad0b858de66

Raw Audit Messages
type=AVC msg=audit(1549619276.640:574): avc:  denied  { signull } for  pid=590 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=0


type=SYSCALL msg=audit(1549619276.640:574): arch=i386 syscall=kill success=no exit=EACCES a0=2ca a1=0 a2=b7f23f28 a3=2ca items=0 ppid=1 pid=590 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null)

Hash: systemd-journal,syslogd_t,auditd_t,process,signull

Version-Release number of selected component:
selinux-policy-3.14.2-48.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         4.20.7-200.fc29.i686
type:           libreport

--- Additional comment from Matt Fagnani on 2019-02-08 11:14 CET ---

This attachment is the output of 
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts boot > ausearch-systemd-journald-1.txt after booting with systemd-239-10.git4dc7dce.fc29.
The denials involve systemd-journald with label syslogd_t using signull on processes with the following labels: unconfined_service_t, rpm_t, mount_t, alsa_t, fsdaemon_t, modemmanager_t, auditd_t, devicekit_disk_t, cupsd_t, systemd_logind_t, NetworkManager_t, xdm_t, accountsd_t, dhcpc_t.

--- Additional comment from Adam Williamson on 2019-02-08 15:50:08 CET ---

openQA tests saw the same results as Matt - see all the tests that show up orange here: https://openqa.fedoraproject.org/tests/overview?distri=fedora&version=29&build=Update-FEDORA-2019-1fb1547321&groupid=2 . They're all orange (which is the kinda 'passed but with warnings' state) because a check for AVCs ran during those tests (it doesn't run in all the tests) and found AVCs. The same AVCs aren't showing up in other update tests, so they are definitely related to this update.

--- Additional comment from Zbigniew Jędrzejewski-Szmek on 2019-02-08 16:58:40 CET ---

C&P from bodhi:

> I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.

> What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)

So, this bug should still present in rawhide, but not F29.

selinux maintainers: please allow kill(0, ...) to be done from systemd-journald. This is what systemd-journald started doing in this update, and I assume that this is what 'signull' means.

If possible, I'd also like to have this policy change in F29, if it's not too much work. Otherwise just F30+ is enough.

--- Additional comment from Adam Williamson on 2019-02-08 17:29:50 CET ---

"What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)"

I do, but your recent systemd build (systemd-241~rc2-1.fc30) is not actually in any Rawhide compose yet. The last Rawhide compose was 2019-02-05. So no-one running Rawhide has it unless they got it from Koji manually.

--- Additional comment from Zbigniew Jędrzejewski-Szmek on 2019-02-08 17:56:17 CET ---

Sorry, I'm on PTO and slightly out of the loop. I *should* have tested the update with selinux.

--- Additional comment from Matt Fagnani on 2019-02-09 19:53:30 CET ---

I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.

--- Additional comment from Lukas Vrabec on 2019-02-11 13:20:54 CET ---



--- Additional comment from Lukas Vrabec on 2019-02-11 16:46:20 CET ---

commit 8258bc10ab4591c277398a872364355be7b15cd4 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 11 16:45:12 2019 +0100

    Allow syslogd_t domain to send null signal to all domains on system
    Resolves: rhbz#1673847

--- Additional comment from Villy Kruse on 2019-02-12 11:31:27 CET ---

Description of problem:
This started after upgrading to systemd-241~rc2-2.fc30.x86_64

Version-Release number of selected component:
selinux-policy-3.14.3-20.fc30.noarch

Additional info:
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.0-0.rc5.git0.1.fc30.x86_64
type:           libreport
Comment 1 Michal Sekletar 2019-02-13 16:25:12 UTC 
This bug is related to fix for CVE-2018-16864 and w/o SELinux policy fix the CVE is not fixed fully.

https://bugzilla.redhat.com/show_bug.cgi?id=1664976

Bug #1664976 has a blocker+ and hence this bug should be considered blocker too.
Comment 4 Michal Sekletar 2019-02-14 06:51:17 UTC 
(In reply to Michal Sekletar from comment #1)
> This bug is related to fix for CVE-2018-16864 and w/o SELinux policy fix the
> CVE is not fixed fully.

To be accurate, CVE is fixed but due to the fix for the flaw in combination with SELinux issue journald can eat more memory than necessary.
Comment 7 Vladimir Benes 2019-02-19 09:58:44 UTC 
I updated RHEL8 system (GNOME desktop) and after logging in I see a bombing of AVC reports in the GS tray (like 20 in a while). This is really annoying. I can set to ignore them but having cleanly installed workstation with a ton of AVCs from the very beginning is just odd. Not sure how this affects journald and service logging.
Comment 11 Lukas Vrabec 2019-02-21 09:08:35 UTC 
*** Bug 1679468 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.