FEDORA-2019-1fb1547321

security update in Fedora 29 for systemd

Status: stable 6 months ago
  • Fix large memory usage by systemd-journald (#1665931)
  • Some minor fixes to systemd-nspawn, udevadm, documentation and logging

No need to log out or reboot.

Comments 21

This update has been submitted for testing by zbyszek.

SELinux is preventing /usr/lib/systemd/systemd-journald from using the signull access on a process labeled iptables_t

...as well as systemd_machined_t, abrt_dump_oops_t...

I upgraded to this update from koji. The next time I booted I saw many denials of systemd-journald sending signull on processes with 14 different labels which I described at https://bugzilla.redhat.com/show_bug.cgi?id=1673847 The system seems to be running normally otherwise.

critpath: +1

Dear Maintainer, could you please explain to us, why this Update is tagged 'security'. The major bug resolved reads as if it doesn't need to / could be triggered by an attacker. Thanks in advance. lauter

openQA saw the same thing as @mattf - new SELinux denials introduced by this update. They can be seen in this test log for instance. @lvrabec

zbyszek edited this update.

New build(s):

  • systemd-239-11.git4dc7dce.fc29

Removed build(s):

  • systemd-239-10.git4dc7dce.fc29

Karma has been reset.

Yikes. I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.

What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)

@zbyszek

It may be so everyone has already drived their nuts with this unendly repeating process :)

I have deleted previously created semodule & everything seems to be O.K with 239-11 now. For at least, setroubleshoot shows no more warnings :)

I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.

karma: +1 critpath: +1 Services start: +1

This update has been pushed to testing.

Works here.

karma: +1 critpath: +1

This update has been submitted for batched by bodhi.

Works great! LGTM! =)

karma: +1

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Against all expectations, here is one more problem with SELinux floated up:

SELinux is preventing /usr/lib/systemd/systemd-journald from map access on the file D656D66643A73......................................................................

@bluepencil: please open a normal bug (https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=selinux-policy-targeted) with all the details. It doesn't look like something related to this update.

... and please put me in cc.

@zbyszek

O.K, I will try to create an account after their server goes through maintenance. ... On occasion I've run ClipGrab and it turned out that SELinux alerts repeat every time you start the program.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
+4
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 6 months ago
in testing 6 months ago
in stable 6 months ago
modified 6 months ago

Related Bugs 1

00 #1665931 systemd-journald.service: crazy memory usage (24.5 GB VIRT, 170 MB RES) RuntimeMaxUse=10M

Automated Test Results

Test Cases

0+1 Test Case Services start
00 Test Case base service manipulation
00 Test Case base services start
00 Test Case base shutdown/reboot