Description of problem: After an update (from updates-testing), I am getting an selinux issue when I boot my system. Version-Release number of selected component (if applicable): selinux-policy-3.12.1-149.fc20.noarch selinux-policy-targeted-3.12.1-149.fc20.noarch kernel-3.13.9-200.fc20.x86_64 How reproducible: always Steps to Reproduce: 1. Install these updates 2. Reboot Actual results: It shows at boot: [FAILED] Apply Kernel Variables Trying to start manually returns an error: systemctl start systemd-sysctl -> failed error: systemd-sysctl[2828]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied In permissive it is ok: setenforce 0; systemctl start systemd-sysctl -> OK Expected results: that it starts correctly without switching selinux in permissive. Additional info: sysrq 16 is for: sync command (that seems to allow to sync the disk) Tried to look in: /usr/lib/sysctl.d/00-system.conf, sysctl.conf and /etc/sysctl.d/* , but cannot find where it tells to turn enable the SysRq sync.
forgot to mention I did a full relabel on my system, but it is still the same after a reboot.
What AVC are you exactly getting? # ausearch -m avc But I believe this is known kernel bug.
I'm hitting this bug too, on 2 machines (i686 and x86_64). Output of journalctl -xn: -- Logs begin at lun 2013-09-23 15:31:48 CEST, end at lun 2014-04-07 14:27:11 CEST. -- apr 07 14:27:01 hostname python[4066]: SELinux is preventing /usr/lib/systemd/systemd-sysctl from write access on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-sysctl should be allowed write access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-sysctl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Output of ausearch -m avc: time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.803:454): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aeee0f0 a1=80241 a2=1b6 a3=1 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.803:454): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="sysrq" dev="proc" ino=8021 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.806:455): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef91f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.806:455): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=8022 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.807:456): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef0110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.807:456): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=8026 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.807:457): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef0110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.807:457): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=8027 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.807:458): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef91f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.807:458): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=8029 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.808:459): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef91f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.808:459): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=8030 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.808:460): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aeee0f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.808:460): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="swappiness" dev="proc" ino=8032 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:08:47 2014 type=SYSCALL msg=audit(1396872527.808:461): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aeee0f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396872527.808:461): avc: denied { write } for pid=2667 comm="systemd-sysctl" name="aio-max-nr" dev="proc" ino=8033 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.942:479): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd620f0 a1=80241 a2=1b6 a3=1 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.942:479): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="sysrq" dev="proc" ino=8021 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.944:480): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd6d1f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.944:480): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=8022 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.944:481): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd64110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.944:481): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=8026 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.944:482): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd64110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.944:482): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=8027 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.945:483): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd6d1f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.945:483): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=8029 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.945:484): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd6d1f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.945:484): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=8030 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.945:485): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd620f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.945:485): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="swappiness" dev="proc" ino=8032 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file ---- time->Mon Apr 7 14:16:51 2014 type=SYSCALL msg=audit(1396873011.945:486): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd620f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(1396873011.945:486): avc: denied { write } for pid=3738 comm="systemd-sysctl" name="aio-max-nr" dev="proc" ino=8033 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
After installing this policy module, systemd-sysctl worked ok: module mypol 1.0; require { type proc_t; type systemd_sysctl_t; class file write; } #============= systemd_sysctl_t ============== allow systemd_sysctl_t proc_t:file write;
Same problem here. # journalctl -b [snip out some non-relevant lines] Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '524288' to '/proc/sys/fs/inotify/max_user_watches': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Failed to start Apply Kernel Variables. Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Unit systemd-sysctl.service entered failed state. Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:4): avc: denied { write } for pid=376 comm="systemd-sysctl" name="sysrq" dev="proc" ino=9397 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:5): avc: denied { write } for pid=376 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=9398 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:6): avc: denied { write } for pid=376 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=9402 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:7): avc: denied { write } for pid=376 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=9403 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:8): avc: denied { write } for pid=376 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=9405 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:9): avc: denied { write } for pid=376 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=9406 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:10): avc: denied { write } for pid=376 comm="systemd-sysctl" name="max_user_watches" dev="proc" ino=9408 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Could this be related to bug #1084903 ?
I have the same output than comment #3, but I have a few more (output is in the attachment: ausearch_output.txt) 2 are related to the file I created: /etc/sysctl.d/disable_ipv6
Created attachment 883718 [details] ausearch output
Created attachment 883720 [details] disable_ipv6
(In reply to Miroslav Grepl from comment #2) > But I believe this is known kernel bug. Can you give some details about that kernel bug?
The kernel should be labeling this directory as sysctl_kernel_t which would be allowed to write, but for some reason it is labeled as proc_t.
On my F21 system I see. ls /proc/sys/kernel/sysrq -Z -rw-r--r--. root root system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/sysrq
Seems to be a recent change: kernel-3.13.5-200.fc20.x86_64 → good kernel-3.13.6-200.fc20.x86_64 → good kernel-3.13.8-200.fc20.x86_64 → bad
Here is the upstream patch that correct this problem: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f64410ec665479d7b4b77b7519e814253ed0f686 This patch was ported to a Fedora kernel but for some reason I'm unable to find the BZ at the moment to point you at the fixed kernel.
*** Bug 1084903 has been marked as a duplicate of this bug. ***
For some reason I can't seem to find the other BZ and I don't see the patch in the current Fedora kernels so I'll work on getting it backported.
Backport request: * https://lists.fedoraproject.org/pipermail/kernel/2014-April/005166.html
I started noticing this as well. I just updated to latest kernel (3.3.18.8-200) , but it may have been occurring before that: From journalctl: Apr 08 22:38:52 t440s systemd[1]: Failed to start Apply Kernel Variables. Apr 08 22:38:52 t440s systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:15): avc: denied { write } for pid=840 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=7281 scontext=system_u Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:14): avc: denied { write } for pid=840 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=7280 scontext=system_ Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:13): avc: denied { write } for pid=840 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=7278 scontext=system_ Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:12): avc: denied { write } for pid=840 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=7277 scontext=system_u:system_r Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:11): avc: denied { write } for pid=840 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=7273 scontext=system_u:syst Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:10): avc: denied { write } for pid=840 comm="systemd-sysctl" name="sysrq" dev="proc" ino=7272 scontext=system_u:system_r:sys Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied [aaron@t440s ~]$ uname -a Linux t440s 3.13.8-200.fc20.x86_64 #1 SMP Tue Apr 1 03:35:46 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [aaron@t440s ~]$ rpm -q kernel selinux-policy selinux-policy-targeted kernel-3.13.6-200.fc20.x86_64 kernel-3.13.7-200.fc20.x86_64 kernel-3.13.8-200.fc20.x86_64 selinux-policy-3.12.1-135.fc20.noarch selinux-policy-targeted-3.12.1-135.fc20.noarch
Looking through journalctl (output was with --reverse), it looks like this is new behavior for me in 3.3.18.8-200.
Paul, Dan, Eric, I applied the patch in F20. I'm curious though why it suddenly showed up between 3.13.6 and 3.13.8/9. There's nothing that immediately jumps out at me in the changes to 3.13.y that would have triggered this. Was there an selinux-policy update that removed something that worked around the issue before?
Thanks Josh. As far as the kernel is concerned, this was always going to be a problem, but it was masked by the fact that userspace never triggered the issue. I believe it was a recent change to systemd that affected the order of SELinux policy load and sysctl settings that triggered this bug.
Hm, ok. Odd that kind of systemd update would show up in a stable release like F20, but maybe that's common. Either way, thanks for the info Paul.
(In reply to Paul Moore from comment #20) > I believe it was a recent change to systemd that affected the order of SELinux > policy load and sysctl settings that triggered this bug. (In reply to Josh Boyer from comment #21) > Hm, ok. Odd that kind of systemd update would show up in a stable release > like F20, but maybe that's common. Either way, thanks for the info Paul. Systemd loads policy in early setup, *much* earlier than sysctl settings are applied. Nothing changed, afaik, in this area in systemd updates for F20.
*** Bug 1086047 has been marked as a duplicate of this bug. ***
*** Bug 1086048 has been marked as a duplicate of this bug. ***
*** Bug 1085879 has been marked as a duplicate of this bug. ***
*** Bug 1085921 has been marked as a duplicate of this bug. ***
*** Bug 1079160 has been marked as a duplicate of this bug. ***
I'm still seeing this in kernel-3.13.9-200.fc20.x86_64: # ls -lZ /proc/sys/kernel/sysrq -rw-r--r--. root root system_u:object_r:proc_t:s0 /proc/sys/kernel/sysrq Other proc files listed above are also proc_t, so it doesn't appear to be a SELinux or systemd bug, but a kernel labeling issue. Could the patch in comment 13 be broken by another change in 3.13.8-200+?
I also just started getting this when upgraded to 3.13.9.
The kernel is already patched in Fedora git. It will be in the next build done on the F20 and F19 branches. Rawhide already has the fix.
I've started getting this error, and also rngd.service, after updating to 3.13.9-200.fc20.x86_64
(In reply to abderrahman from comment #31) > I've started getting this error, and also rngd.service, after updating to > 3.13.9-200.fc20.x86_64 You can disable selinux if you don't want it anyway, and it will go away. https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html
@zzz: Sorry, but disabling SELinux is not a workaround. And there is no need to do such drastic changes. As a better workaround I suggest creating additional rules for the currently active selinux policy. You could use sealert to help you do that.
@zzz: Sorry, but disabling SELinux is not a good workaround. And there is no need to do such drastic changes. As a better workaround I suggest creating additional rules for the currently active selinux policy. You could use sealert to help you do that.
Yes, you can add a local policy using audit2allow for now. # grep systemd_sysctl_t /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Description of problem: the problem appeared spontaneously. Running: # systemctl | grep failed systemd-loaded failed failed sysctl.service Apply Kernel Variables when trying to start the daemon from the terminal: # Systemctl start systemd-sysctl Job for systemd-sysctl.service failed. See 'systemctl status systemd-sysctl.service' and 'journalctl-xn' for details. Here comes the warning from selinux (as cited in the previous year). Additional info: reporter: libreport-2.2.1 hashmarkername: setroubleshoot kernel: 3.13.9-200.fc20.x86_64 type: libreport
*** Bug 1083855 has been marked as a duplicate of this bug. ***
kernel-3.13.10-200.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/kernel-3.13.10-200.fc20
kernel-3.13.10-100.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/kernel-3.13.10-100.fc19
*** Bug 1087749 has been marked as a duplicate of this bug. ***
(In reply to Fedora Update System from comment #38) > kernel-3.13.10-200.fc20 has been submitted as an update for Fedora 20. > https://admin.fedoraproject.org/updates/kernel-3.13.10-200.fc20 3.13.10-200.fc20.x86_64 PASSED Thank you Fedora Update System!
Description of problem: make Hotspot softAP Additional info: reporter: libreport-2.2.1 hashmarkername: setroubleshoot kernel: 3.13.9-200.fc20.x86_64 type: libreport
I installed these kernel updates, and now systemd-sysctl starts correctly. /proc is correctly labeled: sysctl_kernel_t Thanks
Package kernel-3.13.10-100.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing kernel-3.13.10-100.fc19' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-5233/kernel-3.13.10-100.fc19 then log in and leave karma (feedback).
Tested f20 build on update-testing, bug appears fixed (adding karma)
kernel-3.13.10-200.fc20.x86_64 in updates-testing fixed the issue
*** Bug 1087541 has been marked as a duplicate of this bug. ***
*** Bug 1088472 has been marked as a duplicate of this bug. ***
kernel-3.13.10-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
With new kernel problem seems to be fixed - thanks!
*** Bug 1089546 has been marked as a duplicate of this bug. ***
kernel-3.13.11-100.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/kernel-3.13.11-100.fc19
kernel-3.13.11-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
I have this issue with FC22 (4.1.5-200.fc22.x86_64) systemd-sysctl.service - Apply Kernel Variables Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since czw 2015-08-20 20:14:00 CEST; 2min 58s ago Docs: man:systemd-sysctl.service(8) man:sysctl.d(5) Process: 746 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=1/FAILURE) Main PID: 746 (code=exited, status=1/FAILURE) sie 20 20:14:00 localhost.localdomain systemd[1]: Starting Apply Kernel Variables... sie 20 20:14:00 localhost.localdomain systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE sie 20 20:14:00 localhost.localdomain systemd[1]: Failed to start Apply Kernel Variables. sie 20 20:14:00 localhost.localdomain systemd[1]: Unit systemd-sysctl.service entered failed state. sie 20 20:14:00 localhost.localdomain systemd[1]: systemd-sysctl.service failed. But: setenforce 0; systemctl start systemd-sysctl systemd-sysctl.service - Apply Kernel Variables Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled) Active: active (exited) since czw 2015-08-20 20:20:33 CEST; 10s ago Docs: man:systemd-sysctl.service(8) man:sysctl.d(5) Process: 7002 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS) Main PID: 7002 (code=exited, status=0/SUCCESS)
same here # uname -a Linux amd64 4.1.5-200.fc22.x86_64 #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # systemctl | grep failed ● systemd-sysctl.service loaded failed failed Apply Kernel Variables # systemctl status systemd-sysctl.service ● systemd-sysctl.service - Apply Kernel Variables Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since sob 2015-08-22 15:59:29 CEST; 14min ago Docs: man:systemd-sysctl.service(8) man:sysctl.d(5) Process: 429 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=1/FAILURE) Main PID: 429 (code=exited, status=1/FAILURE)
Mariusz and Marek, Would you mind creating a new BZ for F22 and CC'ing me on the new BZ? I suspect you are seeing a different problem and I don't want to confuse the issue by tracking it on this BZ. Also, if possible, could you include the journal for the systemd-sysctl.service in the problem description? Thank you.