SELinux is preventing in:imjournal from unlink accesses on the file imjournal.state

Question

I have a problem on Fedora 36 with rsyslog, selinux and /var/log/messages components.

As you can see:

AVC avc:  denied  { unlink } for  pid=XXX comm="in:imjournal" name="imjournal.state" dev="XXX" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023".

Selinux is refusing access, and this is generating log message in /var/log/messages:

Nov 12 10:29:57 fedora setroubleshoot[262936]: 
Nov 12 10:30:13 fedora setroubleshoot[262957]: 
Nov 12 10:30:26 fedora setroubleshoot[262957]: 
Nov 12 10:30:38 fedora setroubleshoot[262957]: 
Nov 12 10:30:54 fedora setroubleshoot[263003]: 
Nov 12 10:30:59 fedora setroubleshoot[263003]: 
Nov 12 10:31:15 fedora setroubleshoot[263029]: 
Nov 12 10:31:28 fedora setroubleshoot[263029]:

and so on... so file /var/log/messages is getting bigger and bigger... that will cause hdd fill up very quickly... and also generating lots of alerts.

Other info:

 10:40:48 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:01 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:16 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:22 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]

ls -Zl /var/lib/rsyslog/imjournal.state

-rw-------. 1 root root system_u:object_r:unlabeled_t:s0 121 10-08 12:42 /var/lib/rsyslog/imjournal.state

sealert:

Additional Information:
Source Context             system_u:system_r:syslogd_t:s0
Target Context             system_u:object_r:unlabeled_t:s0
Target Objects              imjournal.state [ file ]
Source                        in:imjournal
Source Path              in:imjournal
Port                          <Unknown>
Host                      fedora
Source RPM Packages          
Target RPM Packages          
Policy RPM selinux-policy-targeted-36.16-1.fc36.noarch
Local policy RPM   selinux-policy-targeted-36.16-1.fc36.noarch
Selinux Enabled         True
Policy Type                  targeted
Enforcing Mode               Enforcing
Host Name               fedora
Platform                     Linux fedora 5.15.70-xm1.0.fc36.x86_64 #1 SMP Sun
                              Sep 25 00:28:06 UTC 2022 x86_64 x86_64
Alert Count                44744
First Seen               2022-10-27 18:07:47 CEST
Last Seen                2022-11-12 10:44:37 CET
Local ID         67b7c558-292c-44d6-866b-a236712de092

Raw Audit Messages
type=AVC msg=audit(1668246277.176:46386): avc:  denied  { unlink } for  pid=xxx comm="in:imjournal" name="imjournal.state" dev="xxx" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023"


Hash: in:imjournal,syslogd_t,unlabeled_t,file,unlink

Any help?

score 0 · Answer 1 · answered Nov 22 '22 at 21:34

The Target Context of system_u:object_r:unlabeled_t:s0 is a likely cause. There may be a rule to allow scontext=system_u:system_r:syslogd_t:s0 to perform actions on files of type syslogd_var_lib_t, which is what I think the SELinux context should be for the /var/lib/rsyslog/imjournal.state file. On my system, there's an fcontext rule that sets it:

/var/lib/r?syslog(/.*)?  all files  system_u:object_r:syslogd_var_lib_t:s0

The fix may be as simple as restorecon -v /var/lib/rsyslog/imjournal.state, followed up with a confirmation check of ls -lZ /var/lib/rsyslog/imjournal.state.

I don't have a Fedora system at-hand to confirm this, so you confirm the theory by checking the allowed actions between a source context of syslogd_t (shown in the audit) and a target context of syslogd_var_lib_t:

sesearch --allow -s syslogd_t -t syslogd_var_lib_t

as well as looking for fcontext rules:

semanage fcontext -l | grep 'syslog.*syslogd_var_lib_t'

If I'm correct, you'll see:

Found 8 semantic av rules:
...
   allow syslogd_t syslogd_var_lib_t : file { ioctl read write create getattr setattr lock append map unlink link rename open } ;
...

... in the sesearch output, and:

...
/var/lib/r?syslog(/.*)?                            all files          system_u:object_r:syslogd_var_lib_t:s0
...

... in the semanage output.

If you don't have the sesearch command by default, it should be available in an "setools" or "setools-console" package.

Thanks! When running `semanage fcontext -a -t system_u:object_r:syslogd_var_lib_t:s0 "/home/app/logs(/.*)?"` I get ValueError: Type system_u:object_r:syslogd_var_lib_t:s0 is invalid, must be a file or device type. — Marius, Mar 31 '23 at 06:17
This worked: `semanage fcontext -a -t httpd_log_t "/home/app/logs(/.*)?"; restorecon /home/app` — Marius, Mar 31 '23 at 06:30

SELinux is preventing in:imjournal from unlink accesses on the file imjournal.state

1 Answers1