[systemd-devel] [systemd-commits] 4 commits - man/systemd.mount.xml man/systemd.swap.xml src/core src/fstab-generator src/journal src/shared

Sun Nov 30 16:10:08 PST 2014

On Sun, Nov 30, 2014 at 10:55:03PM +0100, Lennart Poettering wrote:
> On Sun, 30.11.14 01:09, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
> 
> > > I think we really should close the fd here. audit is actually really a
> > > good example why: the audit kernel side has a logic to pass audit msgs
> > > to kmsg if no client is listening¹. If we keep the audit fd open, but
> > > don't read from it this would mean the kmsg logic is turned off
> > > without anyone ever seeing the audit msgs, which is something we
> > > really should avoid I guess... 
> > > 
> > > Anyway, made the change now to close it. I hope that makes sense.
> > Yeah, I was on the fence with closing the socket or not. Closing
> > it is probably better for upstream.
> > 
> > Anyway with F21 and selinux for some reason systemd is not able to
> > pass the audit socket to journald. This sounds strange, but it is fairly
> > consistent.
> 
> What precisely happens? What does "not able" mean?
journald complains that it received a socket of an unknown type,
and tries to open audit:

[    2.731174] systemd-journald[500]: Unknown socket passed as file descriptor 4, ignoring.
[    2.731825] audit: type=1400 audit(1417286938.247:4): avc:  denied  { create } for  pid=500 comm="systemd-journal" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket permissive=0
[    2.731840] systemd-journald[500]: Failed to create audit socket, ignoring: Permission denied
[    2.733068] systemd-journald[500]: Fixed max_use=100.0M max_size=12.5M min_size=4.0M keep_free=150.0M

lsof (before your patch to close unknown sockets):

systemd-j 500 root    0r      CHR                1,3      0t0   1028 /dev/null
systemd-j 500 root    1w      CHR                1,3      0t0   1028 /dev/null
systemd-j 500 root    2w      CHR                1,3      0t0   1028 /dev/null
systemd-j 500 root    3u     unix 0xffff880036aef800      0t0  10367 /run/systemd/journal/dev-log
systemd-j 500 root    4u      CHR                1,3      0t0     22 /null                            <----
systemd-j 500 root    5u     unix 0xffff880079278a80      0t0  11298 /run/systemd/journal/stdout
systemd-j 500 root    6u     unix 0xffff880079278e00      0t0  11301 /run/systemd/journal/socket
systemd-j 500 root    7w      CHR               1,11      0t0   1034 /dev/kmsg                        <----
systemd-j 500 root    8u  a_inode                0,9        0   7526 [eventpoll]
systemd-j 500 root    9u      CHR               1,11      0t0   1034 /dev/kmsg                        <----
systemd-j 500 root   10r      REG                0,3        0   9273 /proc/sys/kernel/hostname
systemd-j 500 root   11u  a_inode                0,9        0   7526 [signalfd]
systemd-j 500 root   12u     unix 0xffff880036aef480      0t0  18228 /run/systemd/journal/stdout
systemd-j 500 root   13u  a_inode                0,9        0   7526 [timerfd]
systemd-j 500 root   14u     unix 0xffff880078e6ca80      0t0  16663 /run/systemd/journal/stdout

4u is the socket that journald gets instead of the audit socket.
7w and 9u it opens itself.

This is with a mostly up-to-date F21 running with selinux in enforcing
mode, systemd from yesterday's git.

Zbyszek