Description of problem: The following avc denial is shown when booting a aarch64 machine. ---- time->Thu Apr 14 07:49:13 2022 type=AVC msg=audit(1649936953.070:219): avc: denied { relabelfrom } for pid=450 comm="journal-offline" name=".#system" dev="vda3" ino=51958 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 ---- time->Thu Apr 14 07:49:13 2022 type=AVC msg=audit(1649936953.070:220): avc: denied { relabelto } for pid=450 comm="journal-offline" name=".#system" dev="vda3" ino=51958 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-36.6-1.fc37.noarch systemd-251~rc1-3.fc37.aarch64 How reproducible: It seems easily reproducible Steps to Reproduce: 1.Provision a aarch64 VM with Rawhide 2.Reboot Additional info: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-36.6-1.fc37.noarch ---- time->Thu Apr 14 07:49:13 2022 type=AVC msg=audit(1649936953.070:219): avc: denied { relabelfrom } for pid=450 comm="journal-offline" name=".#system" dev="vda3" ino=51958 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 ---- time->Thu Apr 14 07:49:13 2022 type=AVC msg=audit(1649936953.070:220): avc: denied { relabelto } for pid=450 comm="journal-offline" name=".#system" dev="vda3" ino=51958 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
This is the full audit entry: ---- type=PROCTITLE msg=audit(04/14/2022 12:22:06.334:223) : proctitle=/usr/lib/systemd/systemd-journald type=PATH msg=audit(04/14/2022 12:22:06.334:223) : item=0 name=(null) inode=78269 dev=00:21 mode=file,640 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/14/2022 12:22:06.334:223) : cwd=/ type=SYSCALL msg=audit(04/14/2022 12:22:06.334:223) : arch=aarch64 syscall=fsetxattr success=yes exit=0 a0=0x1f a1=0xffff84000c39 a2=0xffff84000e70 a3=0x1f items=1 ppid=1 pid=450 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=journal-offline exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(04/14/2022 12:22:06.334:223) : avc: denied { relabelto } for pid=450 comm=journal-offline name=.#system dev="vda3" ino=78269 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(04/14/2022 12:22:06.334:223) : avc: denied { relabelfrom } for pid=450 comm=journal-offline name=.#system dev="vda3" ino=78269 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
systemd-journald has code [1,2] to finalize a journal file in an asychronous thread. There hasn't been much changes to this code since 2016, except that we started making a copy with a tempfile [3,4]. [1] https://github.com/systemd/systemd/commit/ac2e41f510 [2] https://github.com/systemd/systemd/commit/fa7ff4cf03 [3] https://github.com/systemd/systemd/commit/d71ece3f0b [4] https://github.com/systemd/systemd/commit/5d04cec867 The AVC seems roughly consistent with the code: "journal-offline" thread creates a temporary file and tries to atomically link it to normal journal file name. The policy should allow this.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle. Changing version to 37.
This happens in Cockpit's tests as well: https://cockpit-logs.us-east-1.linodeobjects.com/pull-17690-20220831-051933-cb3b0276-fedora-37/log.html#256
*** Bug 2124427 has been marked as a duplicate of this bug. ***
Similar problem has been detected: I started a virtual machine from virt-manager. hashmarkername: setroubleshoot kernel: 5.19.8-300.fc37.x86_64 package: selinux-policy-targeted-37.8-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport
Similar issue occured. Old machine upgraded to Fedora 37 beta. Raw Audit Messages type=AVC msg=audit(1663674094.272:31766): avc: denied { relabelto } for pid=806 comm="journal-offline" name=".#user-1000" dev="dm-0" ino=3313234 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 kernel: 5.19.9-300.fc37.x86_64 package: selinux-policy-targeted-37.8-1.fc37.noarch Policy Type: targeted Enforcing Mode: Enforcing Source Context: system_u:system_r:syslogd_t:s0 Target Context: system_u:object_r:var_log_t:s0
Similar problem has been detected: reboot or restart hashmarkername: setroubleshoot kernel: 5.19.10-300.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelto' accesses on the file .#user-1000. type: libreport
This isn't just arch64, it's happening on x86_64 also.
*** Bug 2137323 has been marked as a duplicate of this bug. ***
*** Bug 2139623 has been marked as a duplicate of this bug. ***
Similar problem has been detected: After update: # LANG=C dnf history info last Transaction ID : 725 Begin time : Fri Nov 4 06:12:45 2022 Begin rpmdb : c8ddf57c611622e0a62f72dc6aa39ab7022250bea9c62610d9df160cc56c18f2 End time : Fri Nov 4 06:13:13 2022 (28 seconds) End rpmdb : a550eba6602566905fb5ed63daf46f01c7194e8970311b8ba7b811170a411d80 User : <REMOVED> Return-Code : Success Releasever : 37 Command Line : upgrade --refresh --enablerepo=*testing Comment : Packages Altered: Upgrade fail2ban-all-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-all-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-firewalld-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-firewalld-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-hostsdeny-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-hostsdeny-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-mail-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-mail-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-selinux-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-selinux-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-sendmail-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-sendmail-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-server-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-server-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-shorewall-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-shorewall-1.0.1-1.fc37.noarch @@System Upgrade fail2ban-systemd-1.0.1-2.fc37.noarch @updates-testing Upgraded fail2ban-systemd-1.0.1-1.fc37.noarch @@System Upgrade glib2-2.74.1-2.fc37.x86_64 @updates-testing Upgraded glib2-2.74.1-1.fc37.x86_64 @@System Upgrade gnome-calendar-43.1-3.fc37.x86_64 @updates-testing Upgraded gnome-calendar-43.1-2.fc37.x86_64 @@System Upgrade gtk4-4.8.2-2.fc37.x86_64 @updates-testing Upgraded gtk4-4.8.2-1.fc37.x86_64 @@System Upgrade ibus-1.5.27-4.fc37.x86_64 @updates-testing Upgraded ibus-1.5.27-3.fc37.x86_64 @@System Upgrade ibus-gtk2-1.5.27-4.fc37.x86_64 @updates-testing Upgraded ibus-gtk2-1.5.27-3.fc37.x86_64 @@System Upgrade ibus-gtk3-1.5.27-4.fc37.x86_64 @updates-testing Upgraded ibus-gtk3-1.5.27-3.fc37.x86_64 @@System Upgrade ibus-gtk4-1.5.27-4.fc37.x86_64 @updates-testing Upgraded ibus-gtk4-1.5.27-3.fc37.x86_64 @@System Upgrade ibus-libs-1.5.27-4.fc37.x86_64 @updates-testing Upgraded ibus-libs-1.5.27-3.fc37.x86_64 @@System Upgrade ibus-setup-1.5.27-4.fc37.noarch @updates-testing Upgraded ibus-setup-1.5.27-3.fc37.noarch @@System Upgrade json-c-0.16-3.fc37.x86_64 @updates-testing Upgraded json-c-0.16-2.fc37.x86_64 @@System Upgrade libvirt-daemon-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-config-network-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-config-network-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-interface-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-interface-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-network-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-network-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-nodedev-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-nodedev-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-nwfilter-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-nwfilter-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-qemu-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-qemu-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-secret-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-secret-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-core-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-core-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-disk-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-disk-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-gluster-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-gluster-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-iscsi-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-iscsi-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-iscsi-direct-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-iscsi-direct-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-logical-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-logical-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-mpath-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-mpath-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-rbd-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-rbd-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-scsi-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-scsi-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-sheepdog-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-sheepdog-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-driver-storage-zfs-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-driver-storage-zfs-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-daemon-kvm-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-daemon-kvm-8.6.0-3.fc37.x86_64 @@System Upgrade libvirt-libs-8.6.0-4.fc37.x86_64 @updates-testing Upgraded libvirt-libs-8.6.0-3.fc37.x86_64 @@System Upgrade xorg-x11-server-Xwayland-22.1.5-1.fc37.x86_64 @updates-testing Upgraded xorg-x11-server-Xwayland-22.1.4-1.fc37.x86_64 @@System hashmarkername: setroubleshoot kernel: 6.0.5-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the fichier .#user-1000. type: libreport
*** Bug 2143157 has been marked as a duplicate of this bug. ***
I don't really know if this is relevant, but the error always happens, when using the Citrix Workspace App to connect to my company's citrix environment.
Similar problem has been detected: Shown in SELinux report. hashmarkername: setroubleshoot kernel: 6.0.8-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport
Similar problem has been detected: systemctl Any form of use of systemctl after a "dnf groupinstall" done yesterday. Always associated with another SELinux Alert; Bug 2083900 - SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport
Similar problem has been detected: Not really sure why this happened. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.14-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1001. type: libreport
Similar problem has been detected: Don't really know what caused this. hashmarkername: setroubleshoot kernel: 6.0.9-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1001. type: libreport
Similar problem has been detected: This denial happens multiple times a day, on Fedora 37 (mate - in my case) even after "fixfiles onboot". hashmarkername: setroubleshoot kernel: 6.0.11-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelto' accesses on the file .#system. type: libreport
Similar problem has been detected: This denial happens multiple times a day, on Fedora 37 (mate - in my case) even after "fixfiles onboot". probably related to: 2075527 hashmarkername: setroubleshoot kernel: 6.0.11-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#system. type: libreport
Similar problem has been detected: This AVC denial happens at boot and occasionally during normal use, with packages from updates-testing: selinux-policy-37.16-1.fc37.noarch selinux-policy-minimum-37.16-1.fc37.noarch selinux-policy-targeted-37.16-1.fc37.noarch hashmarkername: setroubleshoot kernel: 6.0.11-300.fc37.x86_64 package: selinux-policy-targeted-37.16-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelto' accesses on the file .#system. type: libreport
Similar problem has been detected: This AVC denial (still) happens at boot and occasionally during normal use, with packages from updates-testing: selinux-policy-37.16-1.fc37.noarch selinux-policy-minimum-37.16-1.fc37.noarch selinux-policy-targeted-37.16-1.fc37.noarch hashmarkername: setroubleshoot kernel: 6.0.11-300.fc37.x86_64 package: selinux-policy-targeted-37.16-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#system. type: libreport
Similar problem has been detected: login hashmarkername: setroubleshoot kernel: 6.0.11-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport
*** Bug 2152588 has been marked as a duplicate of this bug. ***
Similar problem has been detected: It happens as I log in in plasma. hashmarkername: setroubleshoot kernel: 6.0.11-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the fitxer .#user-1000. type: libreport
Similar problem has been detected: When I switch on the laptop. hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport
Similar problem has been detected: login hashmarkername: setroubleshoot kernel: 6.0.12-300.fc37.x86_64 package: selinux-policy-targeted-37.15-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport
FEDORA-2022-fc84e3e4d5 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5
Similar problem has been detected: This alert appeared when I logged in after boot. hashmarkername: setroubleshoot kernel: 6.0.13-300.fc37.x86_64 package: selinux-policy-targeted-37.16-1.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fc84e3e4d5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
Similar problem has been detected: Alert appears regularly, at least once a day hashmarkername: setroubleshoot kernel: 6.0.7-301.fc37.x86_64 package: selinux-policy-targeted-37.12-2.fc37.noarch reason: SELinux is preventing journal-offline from 'relabelfrom' accesses on the file .#user-1000. type: libreport