Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1481356 - selinux prevents systemd-journald services from running
Summary: selinux prevents systemd-journald services from running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1481454
TreeView+ depends on / blocked
 
Reported: 2017-08-14 17:32 UTC by Paul Whalen
Modified: 2017-09-06 16:18 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-06 16:18:20 UTC


Attachments (Terms of Use)

Description Paul Whalen 2017-08-14 17:32:52 UTC
Description of problem:
selinux prevents systemd-journald services from running


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-270.fc27.noarch

How reproducible:
everytime

Steps to Reproduce:
1. Install using compose Fedora-Rawhide-20170811.n.2
2. Reboot system, run systemctl --all --failed

FAILED SERVICES:
  UNIT                            LOAD   ACTIVE SUB    DESCRIPTION              
● systemd-journald.service        loaded failed failed Journal Service          
● systemd-journald-audit.socket   loaded failed failed Journal Audit Socket     
● systemd-journald-dev-log.socket loaded failed failed Journal Socket (/dev/log)
● systemd-journald.socket         loaded failed failed Journal Socket           

[root@bpi ~]# systemctl start systemd-journald
[  197.384113] systemd-journald[970]: Failed to map sequential number file, ignoring: Permission denied
[  197.400993] systemd-journald[970]: Failed to open runtime journal: Permission denied
Job for systemd-journald.service failed because the control process exited with error code.
See "systemctl  status systemd-journald.service" and "journalctl  -xe" for details.
[root@bpi ~]# [  197.635997] systemd-journald[971]: Failed to map sequential number file, ignoring: Permission denied
[  197.650804] systemd-journald[971]: Failed to open runtime journal: Permission denied
[  197.846337] systemd-journald[972]: Failed to map sequential number file, ignoring: Permission denied
[  197.864907] systemd-journald[972]: Failed to open runtime journal: Permission denied
[  198.077638] systemd-journald[973]: Failed to map sequential number file, ignoring: Permission denied
[  198.092724] systemd-journald[973]: Failed to open runtime journal: Permission denied
[  198.297908] systemd-journald[974]: Failed to map sequential number file, ignoring: Permission denied
[  198.313391] systemd-journald[974]: Failed to open runtime journal: Permission denied

ausearch -m avc -ts recent
----
time->Mon Aug 14 13:25:45 2017
type=AVC msg=audit(1502731545.199:626): avc:  denied  { map } for  pid=1009 comm="plymouthd" path="/etc/ld.so.cache" dev="dm-0" ino=8949486 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permis0
----
time->Mon Aug 14 13:29:12 2017
type=AVC msg=audit(1502731752.182:587): avc:  denied  { map } for  pid=941 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 13:29:13 2017
type=AVC msg=audit(1502731753.973:588): avc:  denied  { map } for  pid=942 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 13:29:14 2017
type=AVC msg=audit(1502731754.364:590): avc:  denied  { map } for  pid=943 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=f0
----
time->Mon Aug 14 13:29:15 2017
type=AVC msg=audit(1502731755.608:595): avc:  denied  { map } for  pid=945 comm="unix_chkpwd" path="/etc/ld.so.cache" dev="dm-0" ino=8949489 scontext=system_u:system_r:chkpwd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissi0
----
time->Mon Aug 14 13:29:32 2017
type=AVC msg=audit(1502731772.856:604): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.023:605): avc:  denied  { map } for  pid=970 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.040:606): avc:  denied  { map } for  pid=970 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.122:610): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.275:611): avc:  denied  { map } for  pid=971 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.290:612): avc:  denied  { map } for  pid=971 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.351:616): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.486:617): avc:  denied  { map } for  pid=972 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.503:618): avc:  denied  { map } for  pid=972 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.568:622): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.717:623): avc:  denied  { map } for  pid=973 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.732:624): avc:  denied  { map } for  pid=973 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.793:628): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.937:629): avc:  denied  { map } for  pid=974 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.953:630): avc:  denied  { map } for  pid=974 comm="systemd-journal" path="/run/log/journal/fd21139a15904e3cbbc5706d680ad948/system.journal" dev="tmpfs" ino=12072 scontext=system_u:system_r:syslogd_t:s0 tcon0


When selinux is in permissive, systemd-journald starts as expected.

[root@bpi ~]# setenforce 0
[root@bpi ~]# systemctl start systemd-journald
[root@bpi ~]# systemctl status systemd-journald
��● systemd-journald.service - Journal Service
   Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static; ven
   Active: active (running) since Mon 2017-08-14 13:31:28 EDT; 13s ago
     Docs: man:systemd-journald.service(8)
           man:journald.conf(5)
 Main PID: 979 (systemd-journal)
   Status: "Processing requests..."
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/systemd-journald.service
           ��└��─979 /usr/lib/systemd/systemd-journald

Aug 14 13:31:28 bpi.friendly-neighbours.com systemd-journald[979]: Journal start
Aug 14 13:31:28 bpi.friendly-neighbours.com systemd-journald[979]: Runtime journ

Comment 1 Jan Kurik 2017-08-15 08:56:09 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 2 Adam Williamson 2017-08-15 15:15:30 UTC
This is probably a dupe of one of the specific denials, likely the systemd-journal denial for its own log file.

Comment 3 Paul Whalen 2017-08-15 16:03:55 UTC
The log file is one of them, also 

----
time->Mon Aug 14 13:29:33 2017
type=AVC msg=audit(1502731773.937:629): avc:  denied  { map } for  pid=974 comm="systemd-journal" path="/run/systemd/journal/kernel-seqnum" dev="tmpfs" ino=12065 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd0
----

Comment 4 Adam Williamson 2017-08-15 16:19:57 UTC
yeah, what I meant was I'm not so clear if that would prevent it running entirely. Still, definitely file that one on its own if it isn't filed yet.

Comment 5 Lukas Vrabec 2017-09-05 07:44:20 UTC
This looks fixed with the latest selinux-policy build. Could somebody try it? 

Thanks,
Lukas.

Comment 6 Adam Williamson 2017-09-05 15:56:33 UTC
journal is working for me in f27 lately, but let's let Paul confirm for his case.

Comment 7 Paul Whalen 2017-09-06 15:38:18 UTC
journal is working fine now, many thanks.

Comment 8 Adam Williamson 2017-09-06 16:18:20 UTC
I think this can be closed, as the relevant fixes are in stable.


Note You need to log in before you can comment on or make changes to this bug.