On Mon, Dec 01, 2014 at 01:15:59AM +0100, Lennart Poettering wrote: > On Mon, 01.12.14 01:10, Zbigniew Jędrzejewski-Szmek ([email protected]) wrote: > > > On Sun, Nov 30, 2014 at 10:55:03PM +0100, Lennart Poettering wrote: > > > On Sun, 30.11.14 01:09, Zbigniew Jędrzejewski-Szmek ([email protected]) > > > wrote: > > > > > > > > I think we really should close the fd here. audit is actually really a > > > > > good example why: the audit kernel side has a logic to pass audit msgs > > > > > to kmsg if no client is listening¹. If we keep the audit fd open, but > > > > > don't read from it this would mean the kmsg logic is turned off > > > > > without anyone ever seeing the audit msgs, which is something we > > > > > really should avoid I guess... > > > > > > > > > > Anyway, made the change now to close it. I hope that makes sense. > > > > Yeah, I was on the fence with closing the socket or not. Closing > > > > it is probably better for upstream. > > > > > > > > Anyway with F21 and selinux for some reason systemd is not able to > > > > pass the audit socket to journald. This sounds strange, but it is fairly > > > > consistent. > > > > > > What precisely happens? What does "not able" mean? > > journald complains that it received a socket of an unknown type, > > and tries to open audit: > > > > [ 2.731174] systemd-journald[500]: Unknown socket passed as file > > descriptor 4, ignoring. > > [ 2.731825] audit: type=1400 audit(1417286938.247:4): avc: denied { > > create } for pid=500 comm="systemd-journal" > > scontext=system_u:system_r:syslogd_t:s0 > > tcontext=system_u:system_r:syslogd_t:s0 tclass=netlink_audit_socket > > permissive=0 > > [ 2.731840] systemd-journald[500]: Failed to create audit socket, > > ignoring: Permission denied > > [ 2.733068] systemd-journald[500]: Fixed max_use=100.0M max_size=12.5M > > min_size=4.0M keep_free=150.0M > > > > lsof (before your patch to close unknown sockets): > > > > systemd-j 500 root 0r CHR 1,3 0t0 1028 > > /dev/null > > systemd-j 500 root 1w CHR 1,3 0t0 1028 > > /dev/null > > systemd-j 500 root 2w CHR 1,3 0t0 1028 > > /dev/null > > systemd-j 500 root 3u unix 0xffff880036aef800 0t0 10367 > > /run/systemd/journal/dev-log > > systemd-j 500 root 4u CHR 1,3 0t0 22 /null > > <---- > > systemd-j 500 root 5u unix 0xffff880079278a80 0t0 11298 > > /run/systemd/journal/stdout > > systemd-j 500 root 6u unix 0xffff880079278e00 0t0 11301 > > /run/systemd/journal/socket > > systemd-j 500 root 7w CHR 1,11 0t0 1034 > > /dev/kmsg <---- > > systemd-j 500 root 8u a_inode 0,9 0 7526 > > [eventpoll] > > systemd-j 500 root 9u CHR 1,11 0t0 1034 > > /dev/kmsg <---- > > systemd-j 500 root 10r REG 0,3 0 9273 > > /proc/sys/kernel/hostname > > systemd-j 500 root 11u a_inode 0,9 0 7526 > > [signalfd] > > systemd-j 500 root 12u unix 0xffff880036aef480 0t0 18228 > > /run/systemd/journal/stdout > > systemd-j 500 root 13u a_inode 0,9 0 7526 > > [timerfd] > > systemd-j 500 root 14u unix 0xffff880078e6ca80 0t0 16663 > > /run/systemd/journal/stdout > > > > 4u is the socket that journald gets instead of the audit socket. > > 7w and 9u it opens itself. > > > > This is with a mostly up-to-date F21 running with selinux in enforcing > > mode, systemd from yesterday's git. > > That is seriously weird. > > Is systemd-journald-audit.socket missing in the initrd maybe? Or not started? Yes, have older systemd there. But it seems to be started correctly. I attached gdb to systemd and afaict the socket was opened properly. I'll look at it again :)
Zbyszek _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
