Description of problem: One of the nice features of systemd is that all services log to syslog by default. Unless logging is explicitly turned off for a specific service, all output written to stderr/stdout of a service goes to syslog. The feature is implemented using a daemon called 'systemd-stdout-syslog-bridge' that listens on the UNIX socket '/run/systemd/stdout-syslog-bridge'. When systemd is spawning a service, it creates a client socket, connects it to the bridge, sends a piece of initializing information to it, and passes the socket to the exec'd service as its stdout and stderr. In simplified pseudo-code: if (fork() == 0) { /* child */ ... fd = socket(AF_UNIX, SOCK_STREAM, 0); connect(fd, ... "/run/systemd/stdout-syslog-bridge" ...); write(fd, "... dear bridge, please log the following to syslog ..."); dup2(fd, STDOUT_FILENO); dup2(STDOUT_FILENO, STDERR_FILENO); ... execve(command, ...); } It does not work for some commands because the SELinux policy prevents them from talking to the socket. The failure is not obvious, because this kind of access is set to dontaudit in the policy. My testcase was to add a non-existent NFS mount in /etc/fstab to make sure /bin/mount would try to complain to stderr. After "semanage dontaudit off" I reproduced the following denial: ---- time->Fri Nov 18 10:33:36 2011 type=PATH msg=audit(1321608816.670:214): item=1 name=(null) inode=393294 dev=fd:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(1321608816.670:214): item=0 name="/bin/mount" inode=526800 dev=fd:05 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 type=CWD msg=audit(1321608816.670:214): cwd="/" type=EXECVE msg=audit(1321608816.670:214): argc=2 a0="/bin/mount" a1="/mnt" type=SYSCALL msg=audit(1321608816.670:214): arch=c000003e syscall=59 success=yes exit=0 a0=330bbd0 a1=32cdaf0 a2=3622b20 a3=7fff23ce8150 items=2 ppid=1 pid=7324 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1321608816.670:214): avc: denied { read write } for pid=7324 comm="mount" path="socket:[2131752]" dev=sockfs ino=2131752 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1321608816.670:214): avc: denied { read write } for pid=7324 comm="mount" path="socket:[2131752]" dev=sockfs ino=2131752 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket ---- Version-Release number of selected component (if applicable): systemd-37-4.fc16.x86_64 selinux-policy-targeted-3.10.0-55.fc16.noarch How reproducible: always Steps to Reproduce: 1. Have SELinux in enforcing mode. 2. Put this in fstab: nonexistent.invalid:/pub /mnt nfs ro,intr 0 0 3. systemctl daemon-reload 4. systemctl start mnt.mount Actual results: systemctl fails as expected, but the error message "mount.nfs: Failed to resolve server nonexistent.invalid: Name or service not known" is found neither in /var/log/messages nor in dmesg. Expected results: The error message to be logged in syslog or dmesg (depending on systemd configuration). Additional info: I am not sure if this is purely a bug in the policy, or if systemd should be more helpful and create the socket with a special label different from init_t.
Great discription, thanks for diagnosing this. Miroslav I have fixed this for F17, 83e254b20373b2efd54519f07449d50e4ee25060 Not sure if it will apply for F16 directly.
Fixed in selinux-policy-3.10.0-58.fc16
I confirm that my testcase works as expected in enforcing mode with selinux-policy-3.10.0-58.fc16.
selinux-policy-3.10.0-59.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-59.fc16
Package selinux-policy-3.10.0-60.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-60.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-60.fc16 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-61.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-61.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-61.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-61.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.