You are not logged in.
[systemd] SELinux denies access but neither journalctl nor audit don't show any AVC denials.
After installing SELinux to my system I faced with the problem. At first I loaded system in «permissive» mode and set «/usr/lib/systemd/systemd» type to «init_exec_t». The resultant domain of systemd process became «init_t». Then I configured chains of transitions from «init_t» domain to domains of other services. Finally, I troubleshot all AVC denials arising on boot and set «enforcing» mode.
While system was booting, the string appeared on the screen: «systemd[1]: Failed to start Flush Journal to Persistent Storage». I found that sector of log:
июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost kernel: audit: type=1130 audit(1438079683.186:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost journalctl[189]: Failed to kill journal service: Access denied
июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-udevd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost kernel: audit: type=1130 audit(1438079683.290:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-udevd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июл 28 13:34:43 localhost systemd[1]: systemd-journal-flush.service: main process exited, code=exited, status=1/FAILURE
июл 28 13:34:43 localhost systemd[1]: Failed to start Flush Journal to Persistent Storage.
июл 28 13:34:43 localhost systemd[1]: Unit systemd-journal-flush.service entered failed state.
июл 28 13:34:43 localhost systemd[1]: systemd-journal-flush.service failed.
июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-journal-flush comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
июл 28 13:34:43 localhost unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I suspect that «systemd-journal-flush.service» is guilty. What it execute?
[Service]
ExecStart=/usr/bin/journalctl --flush
I changed my shell to «init_t» domain and tried to do «flush» manually.
/bin/journalctl --flush
Failed to kill journal service: Access denied
I decided to look at the journalctl source code to figure out what does it cannot. It is that chunk:
if (access("/run/systemd/journal/flushed", F_OK) >= 0)
return 0;
/* OK, let's actually do the full logic, send SIGUSR1 to the
* daemon and set up inotify to wait for the flushed file to appear */
r = bus_open_system_systemd(&bus);
if (r < 0)
return log_error_errno(r, "Failed to get D-Bus connection: %m");
r = sd_bus_call_method(
bus,
"org.freedesktop.systemd1",
"/org/freedesktop/systemd1",
"org.freedesktop.systemd1.Manager",
"KillUnit",
&error,
NULL,
"ssi", "systemd-journald.service", "main", SIGUSR1);
if (r < 0) {
log_error("Failed to kill journal service: %s", bus_error_message(&error, r));
return r;
}
I conclude that something is prevents to send DBus message. I tried to do it manually yet again:
$ qdbus-qt4 --system org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.KillUnit systemd-journald.service main SIGUSR1
Cannot find 'org.freedesktop.systemd1.Manager.KillUnit' in object /org/freedesktop/systemd1 at org.freedesktop.systemd1
$ dbus-send --system --dest=org.freedesktop.systemd1 --type=method_call --print-reply /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager.KillUnit string:systemd-journald.service string:main int32:SIGUSR1
Error org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
But there are still no AVC denials in log.
$ cat /var/log/audit/audit.log | grep -i avc
$ journalctl -b | grep -i avc
I disabled dontaudit rules («semodule -DB») but there was no effect.
Information about my system:
Platform: x86_64
Kernel: 3.18.4-1-selinux
Systemd-selinux-222-1
Dbus-selinux-1.8.18-1
Selinux-refpolicy from https://github.com/TresysTechnology/refpolicy (modified by me)
Selinux modules: base.pp init.pp libraries.pp logging.pp selinuxutil.pp modutils.pp userdomain.pp miscfiles.pp sysadm.pp authlogin.pp sysnetwork.pp storage.pp application.pp locallogin.pp getty.pp xserver.pp mount.pp unconfined.pp udev.pp avahi.pp cups.pp dbus.pp alsa.pp dhcp.pp networkmanager.pp ssh.pp policykit.pp ntp.pp
Please help me to resolve the issue.
Offline