Bug 1253969
| Summary: | Failed to start Apply Kernel Variables. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | poma <pomidorabelisima> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dwalsh, johannbg, jsynacek, kim-rh, lnykryn, msekleta, pomidorabelisima, redhat-bugzilla, s, systemd-maint, zbyszek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-22 10:21:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
poma
2015-08-16 07:11:16 UTC
[ 1.250663] playa systemd[1]: Starting Apply Kernel Variables... [ 1.268629] playa systemd[1]: Started Apply Kernel Variables. [ 2.490439] playa systemd[1]: Stopped Apply Kernel Variables. [ 2.490558] playa systemd[1]: Stopping Apply Kernel Variables... [ 10.517425] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE [ 10.794209] playa systemd[1]: Failed to start Apply Kernel Variables. [ 10.794384] playa systemd[1]: Unit systemd-sysctl.service entered failed state. [ 10.794524] playa systemd[1]: systemd-sysctl.service failed. [ 14.296470] playa systemd[1]: Starting Apply Kernel Variables... [ 14.304153] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE [ 14.304390] playa systemd[1]: Failed to start Apply Kernel Variables. [ 14.304601] playa systemd[1]: Unit systemd-sysctl.service entered failed state. [ 14.304809] playa systemd[1]: systemd-sysctl.service failed. [ 14.458713] playa systemd[1]: Starting Apply Kernel Variables... [ 14.572132] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE [ 14.583726] playa systemd[1]: Failed to start Apply Kernel Variables. [ 14.584284] playa systemd[1]: Unit systemd-sysctl.service entered failed state. [ 14.584807] playa systemd[1]: systemd-sysctl.service failed. [ 15.344076] playa systemd[1]: Starting Apply Kernel Variables... [ 15.346855] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE [ 15.347143] playa systemd[1]: Failed to start Apply Kernel Variables. [ 15.347330] playa systemd[1]: Unit systemd-sysctl.service entered failed state. [ 15.347507] playa systemd[1]: systemd-sysctl.service failed. [ 15.366091] playa systemd[1]: Starting Apply Kernel Variables... [ 15.461440] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE [ 15.461637] playa systemd[1]: Failed to start Apply Kernel Variables. [ 15.461817] playa systemd[1]: Unit systemd-sysctl.service entered failed state. [ 15.461985] playa systemd[1]: systemd-sysctl.service failed. [ 15.463020] playa systemd[1]: start request repeated too quickly for systemd-sysctl.service Related to package: elfutils-default-yama-scope-0.163-3.fc23.noarch and selinux-policy-3.13.1-140.fc23.noarch
And this shows up in /var/log/messages:
Aug 16 13:24:03 kim systemd: Starting Apply Kernel Variables...
Aug 16 13:24:03 kim audit: AVC avc: denied { sys_ptrace } for pid=3478 comm="systemd-sysctl" capability=19 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0
Aug 16 13:24:03 kim systemd-sysctl: Failed to write '0' to 'kernel/yama/ptrace_scope': Operation not permitted
Aug 16 13:24:03 kim audit: SYSCALL arch=c000003e syscall=1 success=no exit=-1 a0=4 a1=7fc19b07b000 a2=2 a3=22 items=0 ppid=1 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
Aug 16 13:24:03 kim audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-sysctl"
Aug 16 13:24:03 kim dbus[740]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Aug 16 13:24:03 kim systemd: systemd-sysctl.service: Main process exited, code=exited, status=1/FAILURE
Aug 16 13:24:03 kim systemd: Failed to start Apply Kernel Variables.
Aug 16 13:24:03 kim systemd: systemd-sysctl.service: Unit entered failed state.
Aug 16 13:24:03 kim systemd: systemd-sysctl.service: Failed with result 'exit-code'.
Aug 16 13:24:03 kim audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 16 13:24:06 kim dbus[740]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Aug 16 13:24:06 kim setroubleshoot: Deleting alert 0872ae0f-f266-480e-9734-4941a9208070, it is allowed in current policy
Aug 16 13:24:09 kim org.fedoraproject.Setroubleshootd: 'list' object has no attribute 'split'
Aug 16 13:24:09 kim setroubleshoot: Plugin Exception restorecon_source
Aug 16 13:24:09 kim setroubleshoot: SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the sys_ptrace capability. For complete SELinux messages. run sealert -l ace4aee9-3498-4585-b78d-da2617c7d638
Aug 16 13:24:09 kim python: SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the sys_ptrace capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd-sysctl should have the sys_ptrace capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep systemd-sysctl /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Aug 16 13:25:01 kim audit: USER_ACCT pid=3568 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="pcp" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 16 13:25:01 kim audit: CRED_ACQ pid=3568 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="pcp" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 16 13:25:01 kim audit: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Aug 16 13:25:01 kim audit: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Bingo
SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the sys_ptrace capability.
avc: denied { sys_ptrace } for pid=4708 comm="systemd-sysctl" capability=19 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0
Policy RPM selinux-policy-3.13.1-128.8.fc22.noarch
Policy Type targeted
Also in Rawhide, tested with: https://kojipkgs.fedoraproject.org/work/tasks/9425/10719425/ Fedora-Live-Xfce-x86_64-rawhide-20150816.iso
And Fedora 23, tested with Fedora-Live-Xfce-x86_64-23-20150817.iso
sealert -l dd01b44f-f4a2-4f5b-9d86-7b1361efc28b
SELinux is preventing systemd-sysctl from using the sys_ptrace capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-sysctl should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-sysctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:systemd_sysctl_t:s0
Target Context system_u:system_r:systemd_sysctl_t:s0
Target Objects Unknown [ capability ]
Source systemd-sysctl
Source Path systemd-sysctl
Port <Unknown>
Host localhost
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-141.fc23.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost
Platform Linux localhost 4.2.0-0.rc5.git0.2.fc23.x86_64 #1
SMP Tue Aug 4 01:37:40 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-08-17 11:31:35 EDT
Last Seen 2015-08-17 11:31:35 EDT
Local ID dd01b44f-f4a2-4f5b-9d86-7b1361efc28b
Raw Audit Messages
type=AVC msg=audit(1439825495.761:1744): avc: denied { sys_ptrace } for pid=7493 comm="systemd-sysctl" capability=19 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0
Hash: systemd-sysctl,systemd_sysctl_t,systemd_sysctl_t,capability,sys_ptrace
Is that all?
Yep! Duplicate of bug 1253926 ? Possible *** This bug has been marked as a duplicate of bug 1253926 *** selinux-policy-targeted-3.13.1-128.12.fc22.noarch - Allow systemd-sysctl cap. sys_ptrace BZ(1253926 OK |