On Mon, 01.12.14 01:10, Zbigniew Jędrzejewski-Szmek ([email protected]) wrote:
> On Sun, Nov 30, 2014 at 10:55:03PM +0100, Lennart Poettering wrote: > > On Sun, 30.11.14 01:09, Zbigniew Jędrzejewski-Szmek ([email protected]) > > wrote: > > > > > > I think we really should close the fd here. audit is actually really a > > > > good example why: the audit kernel side has a logic to pass audit msgs > > > > to kmsg if no client is listening¹. If we keep the audit fd open, but > > > > don't read from it this would mean the kmsg logic is turned off > > > > without anyone ever seeing the audit msgs, which is something we > > > > really should avoid I guess... > > > > > > > > Anyway, made the change now to close it. I hope that makes sense. > > > Yeah, I was on the fence with closing the socket or not. Closing > > > it is probably better for upstream. > > > > > > Anyway with F21 and selinux for some reason systemd is not able to > > > pass the audit socket to journald. This sounds strange, but it is fairly > > > consistent. > > > > What precisely happens? What does "not able" mean? > journald complains that it received a socket of an unknown type, > and tries to open audit: > > [ 2.731174] systemd-journald[500]: Unknown socket passed as file > descriptor 4, ignoring. > [ 2.731825] audit: type=1400 audit(1417286938.247:4): avc: denied { > create } for pid=500 comm="systemd-journal" > scontext=system_u:system_r:syslogd_t:s0 > tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket > permissive=0 > [ 2.731840] systemd-journald[500]: Failed to create audit socket, > ignoring: Permission denied > [ 2.733068] systemd-journald[500]: Fixed max_use=100.0M max_size=12.5M > min_size=4.0M keep_free=150.0M > > lsof (before your patch to close unknown sockets): > > systemd-j 500 root 0r CHR 1,3 0t0 1028 /dev/null > systemd-j 500 root 1w CHR 1,3 0t0 1028 /dev/null > systemd-j 500 root 2w CHR 1,3 0t0 1028 /dev/null > systemd-j 500 root 3u unix 0xffff880036aef800 0t0 10367 > /run/systemd/journal/dev-log > systemd-j 500 root 4u CHR 1,3 0t0 22 /null > <---- > systemd-j 500 root 5u unix 0xffff880079278a80 0t0 11298 > /run/systemd/journal/stdout > systemd-j 500 root 6u unix 0xffff880079278e00 0t0 11301 > /run/systemd/journal/socket > systemd-j 500 root 7w CHR 1,11 0t0 1034 > /dev/kmsg <---- > systemd-j 500 root 8u a_inode 0,9 0 7526 > [eventpoll] > systemd-j 500 root 9u CHR 1,11 0t0 1034 > /dev/kmsg <---- > systemd-j 500 root 10r REG 0,3 0 9273 > /proc/sys/kernel/hostname > systemd-j 500 root 11u a_inode 0,9 0 7526 > [signalfd] > systemd-j 500 root 12u unix 0xffff880036aef480 0t0 18228 > /run/systemd/journal/stdout > systemd-j 500 root 13u a_inode 0,9 0 7526 [timerfd] > systemd-j 500 root 14u unix 0xffff880078e6ca80 0t0 16663 > /run/systemd/journal/stdout > > 4u is the socket that journald gets instead of the audit socket. > 7w and 9u it opens itself. > > This is with a mostly up-to-date F21 running with selinux in enforcing > mode, systemd from yesterday's git. That is seriously weird. Is systemd-journald-audit.socket missing in the initrd maybe? Or not started? Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
