Bug 1084829 - Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied
Summary: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Moore
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1079160 1083855 1084903 1085879 1085921 1086047 1086048 1087541 1087749 1088472 1089546 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-06 22:46 UTC by Heldwin
Modified: 2015-08-24 17:06 UTC (History)
41 users (show)

Fixed In Version: kernel-3.13.11-100.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-18 15:35:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
ausearch output (4.95 KB, text/plain)
2014-04-07 17:54 UTC, Heldwin 		no flags Details
disable_ipv6 (70 bytes, text/plain)
2014-04-07 18:06 UTC, Heldwin 		no flags Details
View All

Description Heldwin 2014-04-06 22:46:28 UTC 
Description of problem:
After an update (from updates-testing), I am getting an selinux issue when I boot my system.


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-149.fc20.noarch
selinux-policy-targeted-3.12.1-149.fc20.noarch  
kernel-3.13.9-200.fc20.x86_64


How reproducible:
always


Steps to Reproduce:
1. Install these updates
2. Reboot


Actual results:

It shows at boot: [FAILED] Apply Kernel Variables

Trying to start manually returns an error:
systemctl start systemd-sysctl -> failed

error:
systemd-sysctl[2828]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied

In permissive it is ok:
setenforce 0; systemctl start systemd-sysctl -> OK


Expected results:

that it starts correctly without switching selinux in permissive.


Additional info:

sysrq 16 is for: sync command (that seems to allow to sync the disk)
Tried to look in: /usr/lib/sysctl.d/00-system.conf, sysctl.conf and /etc/sysctl.d/* , but cannot find where it tells to turn enable the SysRq sync.
Comment 1 Heldwin 2014-04-06 22:51:07 UTC 
forgot to mention I did a full relabel on my system, but it is still the same after a reboot.
Comment 2 Miroslav Grepl 2014-04-07 07:01:06 UTC 
What AVC are you exactly getting?

# ausearch -m avc

But I believe this is known kernel bug.
Comment 3 Guido Aulisi 2014-04-07 12:30:34 UTC 
I'm hitting this bug too, on 2 machines (i686 and x86_64).

Output of journalctl -xn:

-- Logs begin at lun 2013-09-23 15:31:48 CEST, end at lun 2014-04-07 14:27:11 CEST. --
apr 07 14:27:01 hostname python[4066]: SELinux is preventing /usr/lib/systemd/systemd-sysctl from write access on the file .
                                                  
                                                  *****  Plugin catchall (100. confidence) suggests   **************************
                                                  
                                                  If you believe that systemd-sysctl should be allowed write access on the  file by default.
                                                  Then you should report this as a bug.
                                                  You can generate a local policy module to allow this access.
                                                  Do
                                                  allow this access for now by executing:
                                                  # grep systemd-sysctl /var/log/audit/audit.log | audit2allow -M mypol
                                                  # semodule -i mypol.pp
                                                  

Output of ausearch -m avc:

time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.803:454): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aeee0f0 a1=80241 a2=1b6 a3=1 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.803:454): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="sysrq" dev="proc" ino=8021 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.806:455): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef91f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.806:455): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=8022 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.807:456): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef0110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.807:456): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=8026 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.807:457): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef0110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.807:457): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=8027 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.807:458): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef91f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.807:458): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=8029 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.808:459): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aef91f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.808:459): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=8030 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.808:460): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aeee0f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.808:460): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="swappiness" dev="proc" ino=8032 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:08:47 2014
type=SYSCALL msg=audit(1396872527.808:461): arch=c000003e syscall=2 success=no exit=-13 a0=7ff28aeee0f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=2667 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396872527.808:461): avc:  denied  { write } for  pid=2667 comm="systemd-sysctl" name="aio-max-nr" dev="proc" ino=8033 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.942:479): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd620f0 a1=80241 a2=1b6 a3=1 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.942:479): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="sysrq" dev="proc" ino=8021 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.944:480): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd6d1f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.944:480): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=8022 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.944:481): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd64110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.944:481): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=8026 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.944:482): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd64110 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.944:482): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=8027 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.945:483): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd6d1f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.945:483): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=8029 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.945:484): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd6d1f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.945:484): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=8030 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.945:485): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd620f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.945:485): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="swappiness" dev="proc" ino=8032 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Mon Apr  7 14:16:51 2014
type=SYSCALL msg=audit(1396873011.945:486): arch=c000003e syscall=2 success=no exit=-13 a0=7fd36fd620f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=3738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1396873011.945:486): avc:  denied  { write } for  pid=3738 comm="systemd-sysctl" name="aio-max-nr" dev="proc" ino=8033 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Comment 4 Guido Aulisi 2014-04-07 12:33:15 UTC 
After installing this policy module, systemd-sysctl worked ok:

module mypol 1.0;

require {
	type proc_t;
	type systemd_sysctl_t;
	class file write;
}

#============= systemd_sysctl_t ==============
allow systemd_sysctl_t proc_t:file write;
Comment 5 MaxiPunkt 2014-04-07 17:28:49 UTC 
Same problem here.

# journalctl -b

[snip out some non-relevant lines]

Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '524288' to '/proc/sys/fs/inotify/max_user_watches': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Failed to start Apply Kernel Variables.
Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Unit systemd-sysctl.service entered failed state.
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:4): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="sysrq" dev="proc" ino=9397 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:5): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=9398 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:6): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=9402 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:7): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=9403 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:8): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=9405 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:9): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=9406 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:10): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="max_user_watches" dev="proc" ino=9408 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file


Could this be related to bug #1084903 ?
Comment 6 Heldwin 2014-04-07 17:53:19 UTC 
I have the same output than comment #3, but I have a few more (output is in the attachment: ausearch_output.txt)

2 are related to the file I created: /etc/sysctl.d/disable_ipv6
Comment 7 Heldwin 2014-04-07 17:54:05 UTC 
Created attachment 883718 [details]
ausearch output
Comment 8 Heldwin 2014-04-07 18:06:10 UTC 
Created attachment 883720 [details]
disable_ipv6
Comment 9 Zbigniew Jędrzejewski-Szmek 2014-04-07 23:27:58 UTC 
(In reply to Miroslav Grepl from comment #2)
> But I believe this is known kernel bug.
Can you give some details about that kernel bug?
Comment 10 Daniel Walsh 2014-04-08 13:38:07 UTC 
The kernel should be labeling this directory as sysctl_kernel_t which would be allowed to write, but for some reason it is labeled as proc_t.
Comment 11 Daniel Walsh 2014-04-08 13:38:54 UTC 
On my F21 system I see.

 ls /proc/sys/kernel/sysrq -Z
-rw-r--r--. root root system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/sysrq
Comment 12 Zbigniew Jędrzejewski-Szmek 2014-04-08 13:59:26 UTC 
Seems to be a recent change:

kernel-3.13.5-200.fc20.x86_64 → good
kernel-3.13.6-200.fc20.x86_64 → good
kernel-3.13.8-200.fc20.x86_64 → bad
Comment 13 Paul Moore 2014-04-08 14:20:51 UTC 
Here is the upstream patch that correct this problem:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f64410ec665479d7b4b77b7519e814253ed0f686

This patch was ported to a Fedora kernel but for some reason I'm unable to find the BZ at the moment to point you at the fixed kernel.
Comment 14 Miroslav Grepl 2014-04-08 16:52:41 UTC 
*** Bug 1084903 has been marked as a duplicate of this bug. ***
Comment 15 Paul Moore 2014-04-08 18:58:59 UTC 
For some reason I can't seem to find the other BZ and I don't see the patch in the current Fedora kernels so I'll work on getting it backported.
Comment 16 Paul Moore 2014-04-08 20:42:35 UTC 
Backport request:

 * https://lists.fedoraproject.org/pipermail/kernel/2014-April/005166.html
Comment 17 Aaron Hamid 2014-04-09 02:52:16 UTC 
I started noticing this as well.  I just updated to latest kernel (3.3.18.8-200) , but it may have been occurring before that:

From journalctl:

Apr 08 22:38:52 t440s systemd[1]: Failed to start Apply Kernel Variables.
Apr 08 22:38:52 t440s systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:15): avc:  denied  { write } for  pid=840 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=7281 scontext=system_u
Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:14): avc:  denied  { write } for  pid=840 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=7280 scontext=system_
Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:13): avc:  denied  { write } for  pid=840 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=7278 scontext=system_
Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:12): avc:  denied  { write } for  pid=840 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=7277 scontext=system_u:system_r
Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:11): avc:  denied  { write } for  pid=840 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=7273 scontext=system_u:syst
Apr 08 22:38:52 t440s kernel: type=1400 audit(1397011132.048:10): avc:  denied  { write } for  pid=840 comm="systemd-sysctl" name="sysrq" dev="proc" ino=7272 scontext=system_u:system_r:sys
Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied
Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied
Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied
Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied
Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied
Apr 08 22:38:52 t440s systemd-sysctl[840]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied



[aaron@t440s ~]$ uname -a
Linux t440s 3.13.8-200.fc20.x86_64 #1 SMP Tue Apr 1 03:35:46 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[aaron@t440s ~]$ rpm -q kernel selinux-policy selinux-policy-targeted
kernel-3.13.6-200.fc20.x86_64
kernel-3.13.7-200.fc20.x86_64
kernel-3.13.8-200.fc20.x86_64
selinux-policy-3.12.1-135.fc20.noarch
selinux-policy-targeted-3.12.1-135.fc20.noarch
Comment 18 Aaron Hamid 2014-04-09 02:57:18 UTC 
Looking through journalctl (output was with --reverse), it looks like this is new behavior for me in 3.3.18.8-200.
Comment 19 Josh Boyer 2014-04-09 14:05:56 UTC 
Paul, Dan, Eric, I applied the patch in F20.  I'm curious though why it suddenly showed up between 3.13.6 and 3.13.8/9.  There's nothing that immediately jumps out at me in the changes to 3.13.y that would have triggered this.

Was there an selinux-policy update that removed something that worked around the issue before?
Comment 20 Paul Moore 2014-04-09 14:39:43 UTC 
Thanks Josh.

As far as the kernel is concerned, this was always going to be a problem, but it was masked by the fact that userspace never triggered the issue.  I believe it was a recent change to systemd that affected the order of SELinux policy load and sysctl settings that triggered this bug.
Comment 21 Josh Boyer 2014-04-09 15:23:50 UTC 
Hm, ok.  Odd that kind of systemd update would show up in a stable release like F20, but maybe that's common.  Either way, thanks for the info Paul.
Comment 22 Zbigniew Jędrzejewski-Szmek 2014-04-09 17:44:48 UTC 
(In reply to Paul Moore from comment #20)
> I believe it was a recent change to systemd that affected the order of SELinux
> policy load and sysctl settings that triggered this bug.

(In reply to Josh Boyer from comment #21)
> Hm, ok.  Odd that kind of systemd update would show up in a stable release
> like F20, but maybe that's common.  Either way, thanks for the info Paul.

Systemd loads policy in early setup, *much* earlier than sysctl settings are applied. Nothing changed, afaik, in this area in systemd updates for F20.
Comment 23 Miroslav Grepl 2014-04-10 08:30:18 UTC 
*** Bug 1086047 has been marked as a duplicate of this bug. ***
Comment 24 Miroslav Grepl 2014-04-10 08:30:33 UTC 
*** Bug 1086048 has been marked as a duplicate of this bug. ***
Comment 25 Miroslav Grepl 2014-04-10 08:30:41 UTC 
*** Bug 1085879 has been marked as a duplicate of this bug. ***
Comment 26 Miroslav Grepl 2014-04-10 09:52:54 UTC 
*** Bug 1085921 has been marked as a duplicate of this bug. ***
Comment 27 Josh Boyer 2014-04-10 12:43:24 UTC 
*** Bug 1079160 has been marked as a duplicate of this bug. ***
Comment 28 Scott Shambarger 2014-04-10 22:25:05 UTC 
I'm still seeing this in kernel-3.13.9-200.fc20.x86_64:

# ls -lZ /proc/sys/kernel/sysrq
-rw-r--r--. root root system_u:object_r:proc_t:s0      /proc/sys/kernel/sysrq

Other proc files listed above are also proc_t, so it doesn't appear to be a SELinux or systemd bug, but a kernel labeling issue.  Could the patch in comment 13 be broken by another change in 3.13.8-200+?
Comment 29 zzz 2014-04-10 23:46:41 UTC 
I also just started getting this when upgraded to 3.13.9.
Comment 30 Josh Boyer 2014-04-11 02:09:28 UTC 
The kernel is already patched in Fedora git.  It will be in the next build done on the F20 and F19 branches.  Rawhide already has the fix.
Comment 31 abderrahman 2014-04-11 23:09:54 UTC 
I've started getting this error, and also rngd.service, after updating to 3.13.9-200.fc20.x86_64
Comment 32 zzz 2014-04-12 14:41:13 UTC 
(In reply to abderrahman from comment #31)
> I've started getting this error, and also rngd.service, after updating to
> 3.13.9-200.fc20.x86_64

You can disable selinux if you don't want it anyway, and it will go away.

https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Disabling_SELinux.html
Comment 33 Christian Stadelmann 2014-04-12 18:16:10 UTC 
@zzz: Sorry, but disabling SELinux is not a workaround. And there is no need to do such drastic changes.

As a better workaround I suggest creating additional rules for the currently active selinux policy. You could use sealert to help you do that.
Comment 34 Christian Stadelmann 2014-04-12 18:16:31 UTC 
@zzz: Sorry, but disabling SELinux is not a good workaround. And there is no need to do such drastic changes.

As a better workaround I suggest creating additional rules for the currently active selinux policy. You could use sealert to help you do that.
Comment 35 Miroslav Grepl 2014-04-14 06:15:16 UTC 
Yes, you can add a local policy using audit2allow for now.

# grep systemd_sysctl_t /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 36 Mario 2014-04-14 07:30:16 UTC 
Description of problem:
the problem appeared spontaneously. 
Running: # systemctl | grep failed 
systemd-loaded failed failed sysctl.service Apply Kernel Variables 

when trying to start the daemon from the terminal: 
# Systemctl start systemd-sysctl 
Job for systemd-sysctl.service failed. See 'systemctl status systemd-sysctl.service' and 'journalctl-xn' for details. 

Here comes the warning from selinux (as cited in the previous year).

Additional info:
reporter:       libreport-2.2.1
hashmarkername: setroubleshoot
kernel:         3.13.9-200.fc20.x86_64
type:           libreport
Comment 37 Daniel Walsh 2014-04-14 16:50:42 UTC 
*** Bug 1083855 has been marked as a duplicate of this bug. ***
Comment 38 Fedora Update System 2014-04-15 03:36:08 UTC 
kernel-3.13.10-200.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/kernel-3.13.10-200.fc20
Comment 39 Fedora Update System 2014-04-15 03:45:08 UTC 
kernel-3.13.10-100.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/kernel-3.13.10-100.fc19
Comment 40 Zbigniew Jędrzejewski-Szmek 2014-04-15 12:27:02 UTC 
*** Bug 1087749 has been marked as a duplicate of this bug. ***
Comment 41 poma 2014-04-15 13:30:56 UTC 
(In reply to Fedora Update System from comment #38)
> kernel-3.13.10-200.fc20 has been submitted as an update for Fedora 20.
> https://admin.fedoraproject.org/updates/kernel-3.13.10-200.fc20

3.13.10-200.fc20.x86_64 PASSED
Thank you Fedora Update System!
Comment 42 cyrushmh 2014-04-15 14:58:12 UTC 
Description of problem:
make Hotspot
 softAP 

Additional info:
reporter:       libreport-2.2.1
hashmarkername: setroubleshoot
kernel:         3.13.9-200.fc20.x86_64
type:           libreport
Comment 43 Heldwin 2014-04-15 21:25:23 UTC 
I installed these kernel updates, and now systemd-sysctl starts correctly.
/proc is correctly labeled: sysctl_kernel_t

Thanks
Comment 44 Fedora Update System 2014-04-16 09:24:17 UTC 
Package kernel-3.13.10-100.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-3.13.10-100.fc19'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-5233/kernel-3.13.10-100.fc19
then log in and leave karma (feedback).
Comment 45 Scott Shambarger 2014-04-16 21:50:47 UTC 
Tested f20 build on update-testing, bug appears fixed (adding karma)
Comment 46 abderrahman 2014-04-17 08:47:09 UTC 
kernel-3.13.10-200.fc20.x86_64 in updates-testing fixed the issue
Comment 47 Zbigniew Jędrzejewski-Szmek 2014-04-18 03:15:24 UTC 
*** Bug 1087541 has been marked as a duplicate of this bug. ***
Comment 48 Miroslav Grepl 2014-04-18 08:17:43 UTC 
*** Bug 1088472 has been marked as a duplicate of this bug. ***
Comment 49 Fedora Update System 2014-04-18 15:35:50 UTC 
kernel-3.13.10-200.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 50 MaxiPunkt 2014-04-19 08:18:37 UTC 
With new kernel problem seems to be fixed - thanks!
Comment 51 Zbigniew Jędrzejewski-Szmek 2014-04-20 15:09:31 UTC 
*** Bug 1089546 has been marked as a duplicate of this bug. ***
Comment 52 Fedora Update System 2014-04-24 18:16:25 UTC 
kernel-3.13.11-100.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/kernel-3.13.11-100.fc19
Comment 53 Fedora Update System 2014-05-06 03:31:22 UTC 
kernel-3.13.11-100.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 54 Mariusz Smykuła 2015-08-20 18:22:42 UTC 
I have this issue with FC22 (4.1.5-200.fc22.x86_64)

systemd-sysctl.service - Apply Kernel Variables
   Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since czw 2015-08-20 20:14:00 CEST; 2min 58s ago
     Docs: man:systemd-sysctl.service(8)
           man:sysctl.d(5)
  Process: 746 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=1/FAILURE)
 Main PID: 746 (code=exited, status=1/FAILURE)

sie 20 20:14:00 localhost.localdomain systemd[1]: Starting Apply Kernel Variables...
sie 20 20:14:00 localhost.localdomain systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
sie 20 20:14:00 localhost.localdomain systemd[1]: Failed to start Apply Kernel Variables.
sie 20 20:14:00 localhost.localdomain systemd[1]: Unit systemd-sysctl.service entered failed state.
sie 20 20:14:00 localhost.localdomain systemd[1]: systemd-sysctl.service failed.

But:

setenforce 0; systemctl start systemd-sysctl

systemd-sysctl.service - Apply Kernel Variables
   Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled)
   Active: active (exited) since czw 2015-08-20 20:20:33 CEST; 10s ago
     Docs: man:systemd-sysctl.service(8)
           man:sysctl.d(5)
  Process: 7002 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
 Main PID: 7002 (code=exited, status=0/SUCCESS)
Comment 55 Marek Zdunek 2015-08-22 14:17:31 UTC 
same here

# uname -a
Linux amd64 4.1.5-200.fc22.x86_64 #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

# systemctl | grep failed
● systemd-sysctl.service                                                                                  loaded failed failed    Apply Kernel Variables

# systemctl status systemd-sysctl.service
● systemd-sysctl.service - Apply Kernel Variables
   Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since sob 2015-08-22 15:59:29 CEST; 14min ago
     Docs: man:systemd-sysctl.service(8)
           man:sysctl.d(5)
  Process: 429 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=1/FAILURE)
 Main PID: 429 (code=exited, status=1/FAILURE)
Comment 56 Paul Moore 2015-08-24 17:06:45 UTC 
Mariusz and Marek,

Would you mind creating a new BZ for F22 and CC'ing me on the new BZ?  I suspect you are seeing a different problem and I don't want to confuse the issue by tracking it on this BZ.  Also, if possible, could you include the journal for the systemd-sysctl.service in the problem description?

Thank you.
Note You need to log in before you can comment on or make changes to this bug.