Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-86528

[rhel-10] 'journalctl -M tux' fails due to AVC denied

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-40.13.30-1.el10
    • No
    • Moderate
    • EasyFix
    • 1
    • rhel-security-selinux
    • ssg_security
    • 10
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 250514: 6
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      Follow-up of the missing part of RHEL-76352 using selinux-policy-38.1.53-4.el9.noarch from CentOS Stream 9:

      # journalctl -M tux
Failed to open root directory: Remote peer disconnected
# 

      File /var/log/audit/audit.log contains:

      type=AVC msg=audit(1743164897.415:166): avc:  denied  { read } for  pid=582 comm="dbus-broker" path="/" dev="vda2" ino=262302 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_lib_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1743164897.415:166): arch=c000003e syscall=47 success=yes exit=60 a0=10 a1=7fff92a18da0 a2=40000040 a3=ffffffff items=0 ppid=580 pid=582 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-broker" exe="/usr/bin/dbus-broker" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)^]ARCH=x86_64 SYSCALL=recvmsg AUID="unset" UID="dbus" GID="dbus" EUID="dbus" SUID="dbus" FSUID="dbus" EGID="dbus" SGID="dbus" FSGID="dbus"
type=PROCTITLE msg=audit(1743164897.415:166): proctitle=646275732D62726F6B6572002D2D6C6F670034002D2D636F6E74726F6C6C65720039002D2D6D616368696E652D6964006166616561346439393734393462313439363538653031616663623432663031002D2D6D61782D627974657300353336383730393132002D2D6D61782D6664730034303936002D2D6D61782D6D617463

      And same in permissive mode:

      type=AVC msg=audit(1743165170.718:176): avc:  denied  { read } for  pid=582 comm="dbus-broker" path="/" dev="vda2" ino=262302 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_lib_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1743165170.718:176): arch=c000003e syscall=47 success=yes exit=60 a0=10 a1=7fff92a18da0 a2=40000040 a3=ffffffff items=0 ppid=580 pid=582 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-broker" exe="/usr/bin/dbus-broker" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)^]ARCH=x86_64 SYSCALL=recvmsg AUID="unset" UID="dbus" GID="dbus" EUID="dbus" SUID="dbus" FSUID="dbus" EGID="dbus" SGID="dbus" FSGID="dbus"
type=PROCTITLE msg=audit(1743165170.718:176): proctitle=646275732D62726F6B6572002D2D6C6F670034002D2D636F6E74726F6C6C65720039002D2D6D616368696E652D6964006166616561346439393734393462313439363538653031616663623432663031002D2D6D61782D627974657300353336383730393132002D2D6D61782D6664730034303936002D2D6D61782D6D617463

      For me adding the following rule helped locally:

      allow system_dbusd_t systemd_machined_var_lib_t:dir read;

      In general this is even part of case 04036690 as filed in the Red Hat Customer Portal (step 7 in the very first description when the case was raised), but was unfortunately missed when the Jira issue RHEL-76352 got created.

        1. test-output.txt
          18 kB

              rhn-support-zpytela Zdenek Pytela
              robertscheck Robert Scheck (Inactive)
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: