Bug ID 1210066
Summary Logspam: SELinux is preventing systemd-journal from read access on the directory dbus.service.
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware aarch64
OS openSUSE Tumbleweed
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter khanich.opensource@gmx.de
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

OS: openSUSE microOS Raspberry Pi 4

systemd-journald tries to access /sys/fs/cgroup/system.slice/dbus.service.

This gets blocked by SELinux by default. Here is one of the log entries which I
got via sealert:

--------------------------------------------------------------------------------
SELinux is preventing systemd-journal from read access on the directory
dbus.service.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow logging to syslogd list non security dirs
Then you must tell SELinux about this by enabling the
'logging_syslogd_list_non_security_dirs' boolean.

Do
setsebool -P logging_syslogd_list_non_security_dirs 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that systemd-journal should be allowed read access on the
dbus.service directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-journal' --raw | audit2allow -M my-systemdjournal
# semodule -X 300 -i my-systemdjournal.pp


Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:object_r:cgroup_t:s0
Target Objects                dbus.service [ dir ]
Source                        systemd-journal
Source Path                   systemd-journal
Port                          <Unknown>
Host                          backupserver
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-20221019-9.1.noarch
Local Policy RPM              selinux-policy-targeted-20221019-9.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     backupserver
Platform                      Linux backupserver 6.2.6-1-default #1 SMP
                              PREEMPT_DYNAMIC Mon Mar 13 10:57:27 UTC 2023
                              (fa1a4c6) aarch64 aarch64
Alert Count                   293
First Seen                    2023-04-03 16:34:04 UTC
Last Seen                     2023-04-03 16:44:06 UTC
Local ID                      faab6787-1eb1-499b-a834-61d1174f2239

Raw Audit Messages
type=AVC msg=audit(1680540246.709:2998): avc:  denied  { read } for  pid=952
comm="systemd-journal" name="dbus.service" dev="cgroup2" ino=1985
scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0
tclass=dir permissive=0


Hash: systemd-journal,syslogd_t,cgroup_t,dir,read
--------------------------------------------------------------------------------

While if it would only be one entry, this wouldn't be too bad (although I would
very much go and research why it wants to access that), journald tries to
access this every 2 seconds and as such I get a log entry every 2 seconds.

At that point it's just spam because it drowns out every other log message.

Considering that besides me installing some SELinux tools to debug this better,
I didn't change anything about the configuration.

You are receiving this mail because: