• Fix large memory usage by systemd-journald (#1665931)
  • Some minor fixes to systemd-nspawn, udevadm, documentation and logging

No need to log out or reboot.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-1fb1547321

This update has been submitted for testing by zbyszek.

a year ago
User Icon bluepencil commented & provided feedback a year ago

SELinux is preventing /usr/lib/systemd/systemd-journald from using the signull access on a process labeled iptables_t

User Icon bluepencil commented & provided feedback a year ago

...as well as systemd_machined_t, abrt_dump_oops_t...

User Icon mattf commented & provided feedback a year ago

I upgraded to this update from koji. The next time I booted I saw many denials of systemd-journald sending signull on processes with 14 different labels which I described at https://bugzilla.redhat.com/show_bug.cgi?id=1673847 The system seems to be running normally otherwise.

User Icon anonymous commented & provided feedback a year ago

Dear Maintainer, could you please explain to us, why this Update is tagged 'security'. The major bug resolved reads as if it doesn't need to / could be triggered by an attacker. Thanks in advance. lauter

User Icon adamwill commented & provided feedback a year ago

openQA saw the same thing as @mattf - new SELinux denials introduced by this update. They can be seen in this test log for instance. @lvrabec

zbyszek edited this update.

New build(s):

  • systemd-239-11.git4dc7dce.fc29

Removed build(s):

  • systemd-239-10.git4dc7dce.fc29

Karma has been reset.

a year ago
User Icon zbyszek commented & provided feedback a year ago

Yikes. I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.

What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)

User Icon bluepencil commented & provided feedback a year ago

@zbyszek

It may be so everyone has already drived their nuts with this unendly repeating process :)

User Icon bluepencil commented & provided feedback a year ago
karma

I have deleted previously created semodule & everything seems to be O.K with 239-11 now. For at least, setroubleshoot shows no more warnings :)

User Icon mattf commented & provided feedback a year ago
karma

I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.

Test Case Services start

This update has been pushed to testing.

a year ago
User Icon bojan commented & provided feedback a year ago
karma

Works here.

This update has been submitted for batched by bodhi.

a year ago
User Icon besser82 commented & provided feedback a year ago
karma

Works great! LGTM! =)

This update has been submitted for stable by bodhi.

a year ago

This update has been pushed to stable.

a year ago
User Icon bluepencil commented & provided feedback a year ago

Against all expectations, here is one more problem with SELinux floated up:

SELinux is preventing /usr/lib/systemd/systemd-journald from map access on the file D656D66643A73......................................................................
User Icon zbyszek commented & provided feedback a year ago

@bluepencil: please open a normal bug (https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=selinux-policy-targeted) with all the details. It doesn't look like something related to this update.

User Icon zbyszek commented & provided feedback a year ago

... and please put me in cc.

User Icon bluepencil commented & provided feedback a year ago

@zbyszek

O.K, I will try to create an account after their server goes through maintenance. ... On occasion I've run ClipGrab and it turned out that SELinux alerts repeat every time you start the program.


Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
modified
a year ago
BZ#1665931 systemd-journald.service: crazy memory usage (24.5 GB VIRT, 170 MB RES) RuntimeMaxUse=10M
0
0

Automated Test Results

Test Cases

0 1 Test Case Services start
0 0 Test Case base service manipulation
0 0 Test Case base services start
0 0 Test Case base shutdown/reboot
0 0 Test Case User:Tablepc/Draft testcase reboot