Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85298

RHEL-9: [Anaconda] /var/log labeled var_t instead of var_log_t / systemd-journald first boot log lost

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.7
    • rhel-9.5.z, rhel-10.0
    • anaconda
    • None
    • anaconda-34.25.7.4-1.el9
    • No
    • Moderate
    • rhel-anaconda
    • 20
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Installing an rpm-ostree based OS / EL 9.5 using Anaconda (ostreesetup)

      On first boot I have an AVC denial (I have audit=1 kargs)

      # audit2allow -be

#============= syslogd_t ==============
# audit(1743048551.579:114):
#  scontext="system_u:system_r:syslogd_t:s0" tcontext="system_u:object_r:var_t:s0"
#  class="dir" perms="create"
#  comm="systemd-journal" exe="" path=""
#  message="type=AVC msg=audit(1743048551.579:114): avc:  denied  { create } for
#   pid=782 comm="systemd-journal" name="journal"
#   scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_t:s0
#   tclass=dir permissive=0"
allow syslogd_t var_t:dir create;

      systemd-journald can't create /var/log/journal

      Inspecting the filesystem at the end of the install, /var/log is labelled `system_u:object_r:var_t:s0` instead of `system_u:object_r:var_log_t:s0`

      What is the impact of this issue to you?

      Logs from the first boot are lost

      I think the context/label is corrected by systemd-tmpfiles

       

      Please provide the package NVR for which the bug is seen:

      anaconda 34.25.5.9 (the version in the EL 9.5 ISO)

      How reproducible is this bug?:

      100 %

      Steps to reproduce

      1. Install an rpm-ostree OS using anaconda / kickstart , make sure not to have `reboot` so you can inspect at the end of the install
      2. At the end of the install, switch to a shell, run 'ls -liaZ /var/log'

      Expected results

      `/var/log` is labelled `system_u:object_r:var_log_t:s0`

      Actual results

      • /var is empty / /var/log doesn't exists during the installation

      On the first boot systemd-journal-flush.service runs before systemd-tmpfiles-setup.service, this is when we get the AVC denial and logs are not written to disk.

       

      Minimal fix would be to run `restorecon -i /var/log/` in 99-copylogs.ks, but the files copied by 90-copy-screenshots.ks are likely also mislabelled https://github.com/rhinstaller/anaconda/blob/1abe06de284ca55f764b60424f696b93626036bb/data/post-scripts/90-copy-screenshots.ks#L11 , so restorecon should really be done last (I see this code doesn't exists in in rhel-10+, so maybe it's already the case)

      Another way to fix this issue would be to call `self._create_tmpfiles('/var/log')` in https://github.com/rhinstaller/anaconda/blob/42e9d47bdea4f2bc2e3c0b60a31b911d0cbd63b8/pyanaconda/modules/payloads/payload/rpm_ostree/installation.py#L228

              champtar Etienne Champetier
              champtar Etienne Champetier
              anaconda-maint-list anaconda-maint-list
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: