Join Log in
Score:3
bugmeu avatar Server

SELinux is preventing in:imjournal from unlink accesses on the file imjournal.state

cc flag
bugmeu

I have a problem on Fedora 36 with rsyslog, selinux and /var/log/messages components.

As you can see:

AVC avc:  denied  { unlink } for  pid=XXX comm="in:imjournal" name="imjournal.state" dev="XXX" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023".

Selinux is refusing access, and this is generating log message in /var/log/messages:

Nov 12 10:29:57 fedora setroubleshoot[262936]: 
Nov 12 10:30:13 fedora setroubleshoot[262957]: 
Nov 12 10:30:26 fedora setroubleshoot[262957]: 
Nov 12 10:30:38 fedora setroubleshoot[262957]: 
Nov 12 10:30:54 fedora setroubleshoot[263003]: 
Nov 12 10:30:59 fedora setroubleshoot[263003]: 
Nov 12 10:31:15 fedora setroubleshoot[263029]: 
Nov 12 10:31:28 fedora setroubleshoot[263029]:

and so on... so file /var/log/messages is getting bigger and bigger... that will cause hdd fill up very quickly... and also generating lots of alerts.

Other info:

 10:40:48 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:01 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:16 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:22 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]

ls -Zl /var/lib/rsyslog/imjournal.state

-rw-------. 1 root root system_u:object_r:unlabeled_t:s0 121 10-08 12:42 /var/lib/rsyslog/imjournal.state

sealert:

Additional Information:
Source Context             system_u:system_r:syslogd_t:s0
Target Context             system_u:object_r:unlabeled_t:s0
Target Objects              imjournal.state [ file ]
Source                        in:imjournal
Source Path              in:imjournal
Port                          <Unknown>
Host                      fedora
Source RPM Packages          
Target RPM Packages          
Policy RPM selinux-policy-targeted-36.16-1.fc36.noarch
Local policy RPM   selinux-policy-targeted-36.16-1.fc36.noarch
Selinux Enabled         True
Policy Type                  targeted
Enforcing Mode               Enforcing
Host Name               fedora
Platform                     Linux fedora 5.15.70-xm1.0.fc36.x86_64 #1 SMP Sun
                              Sep 25 00:28:06 UTC 2022 x86_64 x86_64
Alert Count                44744
First Seen               2022-10-27 18:07:47 CEST
Last Seen                2022-11-12 10:44:37 CET
Local ID         67b7c558-292c-44d6-866b-a236712de092

Raw Audit Messages
type=AVC msg=audit(1668246277.176:46386): avc:  denied  { unlink } for  pid=xxx comm="in:imjournal" name="imjournal.state" dev="xxx" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023"


Hash: in:imjournal,syslogd_t,unlabeled_t,file,unlink

Any help?

543
1 + 0
Score:0
Jeff Schaller avatar Server
nf flag
Jeff Schaller

The Target Context of system_u:object_r:unlabeled_t:s0 is a likely cause. There may be a rule to allow scontext=system_u:system_r:syslogd_t:s0 to perform actions on files of type syslogd_var_lib_t, which is what I think the SELinux context should be for the /var/lib/rsyslog/imjournal.state file. On my system, there's an fcontext rule that sets it:

/var/lib/r?syslog(/.*)?  all files  system_u:object_r:syslogd_var_lib_t:s0

The fix may be as simple as restorecon -v /var/lib/rsyslog/imjournal.state, followed up with a confirmation check of ls -lZ /var/lib/rsyslog/imjournal.state.

I don't have a Fedora system at-hand to confirm this, so you confirm the theory by checking the allowed actions between a source context of syslogd_t (shown in the audit) and a target context of syslogd_var_lib_t:

sesearch --allow -s syslogd_t -t syslogd_var_lib_t

as well as looking for fcontext rules:

semanage fcontext -l | grep 'syslog.*syslogd_var_lib_t'

If I'm correct, you'll see:

Found 8 semantic av rules:
...
   allow syslogd_t syslogd_var_lib_t : file { ioctl read write create getattr setattr lock append map unlink link rename open } ;
...

... in the sesearch output, and:

...
/var/lib/r?syslog(/.*)?                            all files          system_u:object_r:syslogd_var_lib_t:s0
...

... in the semanage output.

If you don't have the sesearch command by default, it should be available in an "setools" or "setools-console" package.

+ 2
Marius avatar
nl flag
Marius
Thanks! When running `semanage fcontext -a -t system_u:object_r:syslogd_var_lib_t:s0 "/home/app/logs(/.*)?"` I get ValueError: Type system_u:object_r:syslogd_var_lib_t:s0 is invalid, must be a file or device type.
0
Reply
Marius avatar
nl flag
Marius
This worked: `semanage fcontext -a -t httpd_log_t "/home/app/logs(/.*)?"; restorecon /home/app`
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.