stable

systemd-239-11.git4dc7dce.fc29

FEDORA-2019-1fb1547321 created by zbyszek 5 years ago for Fedora 29
  • Fix large memory usage by systemd-journald (#1665931)
  • Some minor fixes to systemd-nspawn, udevadm, documentation and logging

No need to log out or reboot.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2019-1fb1547321

This update has been submitted for testing by zbyszek.

5 years ago
User Icon bluepencil commented & provided feedback 5 years ago

SELinux is preventing /usr/lib/systemd/systemd-journald from using the signull access on a process labeled iptables_t

User Icon bluepencil commented & provided feedback 5 years ago

...as well as systemd_machined_t, abrt_dump_oops_t...

User Icon mattf commented & provided feedback 5 years ago

I upgraded to this update from koji. The next time I booted I saw many denials of systemd-journald sending signull on processes with 14 different labels which I described at https://bugzilla.redhat.com/show_bug.cgi?id=1673847 The system seems to be running normally otherwise.

User Icon anonymous commented & provided feedback 5 years ago

Dear Maintainer, could you please explain to us, why this Update is tagged 'security'. The major bug resolved reads as if it doesn't need to / could be triggered by an attacker. Thanks in advance. lauter

User Icon adamwill commented & provided feedback 5 years ago

openQA saw the same thing as @mattf - new SELinux denials introduced by this update. They can be seen in this test log for instance. @lvrabec

zbyszek edited this update.

New build(s):

  • systemd-239-11.git4dc7dce.fc29

Removed build(s):

  • systemd-239-10.git4dc7dce.fc29

Karma has been reset.

5 years ago
User Icon zbyszek commented & provided feedback 5 years ago

Yikes. I reverted the one patch that I think was causing the selinux issues. Journald will use more memory, but not as much as before. What the patch did was to periodically drop the entries for all dead processes from the cache. This now is disabled, so the cache will always stay at the maximum.

What is slightly surprising, is that patch is present in rawhide for a few days, and nobody reported the issue. So maybe nobody has selinux enabled ;)

User Icon bluepencil commented & provided feedback 5 years ago

@zbyszek

It may be so everyone has already drived their nuts with this unendly repeating process :)

User Icon bluepencil commented & provided feedback 5 years ago
karma

I have deleted previously created semodule & everything seems to be O.K with _239-__11___ now. For at least, setroubleshoot shows no more warnings :)

User Icon mattf commented & provided feedback 5 years ago
karma

I haven't seen any systemd-journald signull denials during a few boots using 239-11. Thanks for the update and explanation.

Test Case Services start

This update has been pushed to testing.

5 years ago
User Icon bojan commented & provided feedback 5 years ago
karma

Works here.

This update has been submitted for batched by bodhi.

5 years ago
User Icon besser82 commented & provided feedback 5 years ago
karma

Works great! LGTM! =)

This update has been submitted for stable by bodhi.

5 years ago

This update has been pushed to stable.

5 years ago
User Icon bluepencil commented & provided feedback 5 years ago

Against all expectations, here is one more problem with SELinux floated up:

SELinux is preventing /usr/lib/systemd/systemd-journald from map access on the file D656D66643A73......................................................................
User Icon zbyszek commented & provided feedback 5 years ago

@bluepencil: please open a normal bug (https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=selinux-policy-targeted) with all the details. It doesn't look like something related to this update.

User Icon zbyszek commented & provided feedback 5 years ago

... and please put me in cc.

User Icon bluepencil commented & provided feedback 5 years ago

@zbyszek

O.K, I will try to create an account after their server goes through maintenance. ... On occasion I've run ClipGrab and it turned out that SELinux alerts repeat every time you start the program.


Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
modified
5 years ago
BZ#1665931 systemd-journald.service: crazy memory usage (24.5 GB VIRT, 170 MB RES) RuntimeMaxUse=10M
0
0

Automated Test Results

Test Cases

0 1 Test Case Services start
0 0 Test Case base service manipulation
0 0 Test Case base services start
0 0 Test Case base shutdown/reboot
0 0 Test Case User:Tablepc/Draft testcase reboot