On Tue, 14 Apr 2020 11:26:57 +1000 Russell Coker <russ...@coker.com.au>
wrote:
> On Saturday, 11 April 2020 5:19:00 PM AEST Michael Biebl wrote:
> > > type=AVC msg=audit(1586512443.135:71139): avc: granted { unlink
} for
> > > pid=293 comm="systemd-journal"
> > > name="
user-1001@165b61313e51499ab58ffd33d611e714-0000000000000000-00000000
> > > 00000000.journal" dev="sdb2" ino=2093618
> > > scontext=system_u:system_r:syslogd_t:s0
> > > tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
> > > type=AVC msg=audit(1586565837.001:94320): avc: granted { unlink
} for
> > > pid=293 comm="systemd-journal"
> > > name="
user-1001@165b61313e51499ab58ffd33d611e714-0000000000000000-00000000
> > > 00000000.journal" dev="sdb2" ino=2095421
> > > scontext=system_u:system_r:syslogd_t:s0
> > > tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
> >
> > Is another user/process accessing the journal file at the time the
> > delete happens?
>
> Not through any deliberate user action. I'm the only user of the
system and I
> wasn't running any journalctl command. Does systemd do such stuff
internally?Can you please report this upstream at https://github.com/systemd/systemd/issues and report back with the issue number. I'm not really familiar with SELinux to be able to make sense of those log messages. Upstream might. Thanks, Michael
signature.asc
Description: This is a digitally signed message part
