I'm trying to write a custom service definition for SystemD on a RHEL system.
Currently, the output goes into the Journal, but I'd need it in a file to parse and forward it with logstash. (Note: For reasons out of my control, Journalbeat is not an option).
To make the service log to a file instead, I tried:
- Creating a /var/log/myservice directory
- Setting the
StandardOutput=append:/var/log/myservice
directive in the SystemD service definition
When I try to launch the service, it fails with status=209/STDOUT
.
After some debugging, I figured out it's SELinux that is preventing this:
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:var_log_t:s0
Target Objects mylogfile.log [ file ]
Source (myservice)
Source Path /usr/lib/systemd/systemd
Port <Unknown>
Host myhost.mydomain.net
Source RPM Packages systemd-239-45.el8.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-67.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-67.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
<... truncated ...>
Raw Audit Messages
type=AVC msg=audit(1628237958.525:23268): avc: denied { create } for pid=323316 comm="(myservice)" name="mylogfile" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1628237958.525:23268): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=55e0d96f2230 a2=541 a3=1a4 items=0 ppid=1 pid=323316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(myservice) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
I'm understanding that it's telling me that SystemD (running with the context system_u:system_r:init_t:s0
) can't create a file in my directory (system_u:object_r:var_log_t:s0
).
The directory currently is empty:
# ls -alZ /var/log/myservice/
total 12
drwxr-xr-x. 2 root root system_u:object_r:var_log_t:s0 6 Aug 6 09:11 .
drwxr-xr-x. 19 root root system_u:object_r:var_log_t:s0 8192 Aug 6 03:13 ..
Question: What is the proper way (policy) to allow SystemD to write logs into /var/log?
I've tried several approaches with semanage fcontext
but none were successful so far.
setenforce permissive
temporarily, then trigger the situation again (it will be allowed but with a message in audit logs), then parse the logs with special tools, create a policy and load it (permanently). Instructions e.g. here: https://wiki.centos.org/HowTos/SELinux (section 5 when you have the logs by "permissive") and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow . I believe there is also a graphical tool for it but I never use it. – Ned64 Aug 06 '21 at 08:44