Bug 2353898 - SELinux is preventing /usr/bin/systemctl from read access on the directory journal.
Summary: SELinux is preventing /usr/bin/systemctl from read access on the directory jo...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: cobbler
Version: epel9
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-03-20 15:13 UTC by a.savchuk
Modified: 2025-05-26 15:27 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description a.savchuk 2025-03-20 15:13:27 UTC 
Description of problem:

SELinux is preventing /usr/bin/systemctl from read access on the directory journal.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed read access on the journal directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp


Additional Information:
Source Context                system_u:system_r:cobblerd_t:s0
Target Context                system_u:object_r:syslogd_var_run_t:s0
Target Objects                journal [ dir ]
Source                        systemctl
Source Path                   /usr/bin/systemctl
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           systemd-252-46.0.3.el9_5.3.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.45-3.0.1.el9_5.noarch
Local Policy RPM              cobbler-selinux-3.3.7-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     netboot.bp.local
Platform                      Linux netboot.bp.local
                              5.14.0-503.31.1.el9_5.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Mar 11 08:08:01 PDT 2025
                              x86_64 x86_64
Alert Count                   3
First Seen                    2025-03-19 19:38:10 +04
Last Seen                     2025-03-19 20:08:52 +04
Local ID                      3658eec8-8164-4565-bdf2-9a7240941dfd

Raw Audit Messages
type=AVC msg=audit(1742400532.976:9660): avc:  denied  { read } for  pid=53985 comm="systemctl" name="journal" dev="tmpfs" ino=60 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1742400532.976:9660): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7fc7ecd0cd60 a2=90800 a3=0 items=0 ppid=53984 pid=53985 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:cobblerd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root

Hash: systemctl,cobblerd_t,syslogd_var_run_t,dir,read


Version-Release number of selected component (if applicable):

# rpm -qa cobbler*
cobbler-selinux-3.3.7-1.el9.noarch
cobbler-3.3.7-1.el9.noarch

# rpm -qa systemd
systemd-252-46.0.3.el9_5.3.x86_64

How reproducible: always

Steps to Reproduce:

1. dnf install cobbler 
2. systemctl start cobblerd
3. cobbler check

Actual results: SELinux prevents /usr/bin/systemctl run by cobblerd from read access on the directory journal.

Expected results: 'cobbler check' does not result in SELinux errors.
Comment 1 a.savchuk 2025-05-26 15:27:07 UTC 
I found that the audit message is related to executing 'cobblerd check' command. I have corrected my original message accordingly.
Note You need to log in before you can comment on or make changes to this bug.