1824087 – SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_socket /run/systemd/journal/socket.

Bug 1824087 - SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_socket /run/systemd/journal/socket.

Summary: SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_so...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:f3ee87e607d15ca8caade0a2724...
Depends On:	1812955
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-15 09:23 UTC by Matteo Croce
Modified:	2020-05-06 04:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.14.5-38.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-06 04:30:01 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matteo Croce 2020-04-15 09:23:01 UTC

Description of problem:
SELinux is preventing (sd-worker) from 'sendto' accesses on the unix_dgram_socket /run/systemd/journal/socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (sd-worker) should be allowed sendto access on the socket unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(sd-worker)' --raw | audit2allow -M my-sdworker
# semodule -X 300 -i my-sdworker.pp

Additional Information:
Source Context                system_u:system_r:systemd_userdbd_t:s0
Target Context                system_u:system_r:syslogd_t:s0
Target Objects                /run/systemd/journal/socket [ unix_dgram_socket ]
Source                        (sd-worker)
Source Path                   (sd-worker)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            <Unknown>
Local Policy RPM              selinux-policy-targeted-3.14.5-32.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.6.2 #165 SMP Sun Apr 5 14:22:07
                              CEST 2020 x86_64 x86_64
Alert Count                   12
First Seen                    2020-04-15 11:14:25 CEST
Last Seen                     2020-04-15 11:19:59 CEST
Local ID                      affb36f4-7a0a-4e84-8696-39093aaa24ab

Raw Audit Messages
type=AVC msg=audit(1586942399.403:709): avc:  denied  { sendto } for  pid=5543 comm="systemd-userwor" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0


Hash: (sd-worker),systemd_userdbd_t,syslogd_t,unix_dgram_socket,sendto


Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.6.2
type:           libreport

Comment 1 Lukas Vrabec 2020-04-20 14:05:14 UTC

commit e8a4f6cbb6eedf008801b6eb14333169882b35a5 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Apr 20 16:04:48 2020 +0200

    Allow systemd_userdbd_t domain logging to journal
    
    Resolves: rhbz#1824087

Comment 2 Fedora Update System 2020-04-29 09:04:50 UTC

FEDORA-2020-3ffe9fdf42 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-3ffe9fdf42

Comment 3 Fedora Update System 2020-04-30 04:13:10 UTC

FEDORA-2020-3ffe9fdf42 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-3ffe9fdf42`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-3ffe9fdf42

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2020-05-05 11:34:25 UTC

FEDORA-2020-a6cd8de2ed has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a6cd8de2ed

Comment 5 Fedora Update System 2020-05-06 04:30:01 UTC

FEDORA-2020-a6cd8de2ed has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.