10.2. SELinux and journald
journalddaemon (also known as
systemd-journal) is the alternative for the
syslogutility, which is a system service that collects and stores logging data. It creates and maintains structured and indexed journals based on logging information that is received from the kernel, from user processes using the
syslog()function, from standard and error output of system services, or using its native API. It implicitly collects numerous metadata fields for each log message in a secure way.
systemd-journalservice can be used with SELinux to increase security. SELinux controls processes by only allowing them to do what they were designed to do; sometimes even less, depending on the security goals of the policy writer. For example, SELinux prevents a compromised
ntpdprocess from doing anything other than handle Network Time. However, the
syslogmessages, so that SELinux would allow the compromised process to continue to send those messages. The compromised
syslogmessages to match other daemons and potentially mislead an administrator, or even worse, a utility that reads the
syslogfile into compromising the whole system.
systemd-journaldaemon verifies all log messages and, among other things, adds SELinux labels to them. It is then easy to detect inconsistencies in log messages and prevent an attack of this type before it occurs. You can use the
journalctlutility to query logs of
systemdjournals. If no command-line arguments are specified, running this utility lists the full content of the journal, starting from the oldest entries. To see all logs generated on the system, including logs for system components, execute
journalctlas root. If you execute it as a non-root user, the output will be limited only to logs related to the currently logged-in user.
Example 10.2. Listing Logs with
journalctlfor listing all logs related to a particular SELinux label. For example, the following command lists all logs logged under the
journalctl _SELINUX_CONTEXT=system_u:system_r:policykit_t:s0Oct 21 10:22:42 localhost.localdomain polkitd: Started polkitd version 0.112 Oct 21 10:22:44 localhost.localdomain polkitd: Loading rules from directory /etc/polkit-1/rules.d Oct 21 10:22:44 localhost.localdomain polkitd: Loading rules from directory /usr/share/polkit-1/rules.d Oct 21 10:22:44 localhost.localdomain polkitd: Finished loading, compiling and executing 5 rules Oct 21 10:22:44 localhost.localdomain polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus Oct 21 10:23:10 localhost polkitd: Registered Authentication Agent for unix-session:c1 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Oct 21 10:23:35 localhost polkitd: Unregistered Authentication Agent for unix-session:c1 (system bus name :1.80 [/usr/bin/gnome-shell --mode=classic], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8)
journalctl, see the journalctl(1) manual page.