1084903 – systemd failed to start Apply Kernel Variables

Bug 1084903 - systemd failed to start Apply Kernel Variables

Summary: systemd failed to start Apply Kernel Variables

Keywords:
Status:	CLOSED DUPLICATE of bug 1084829
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-07 07:57 UTC by Jan Synacek
Modified:	2014-04-08 16:52 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-04-08 16:52:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Synacek 2014-04-07 07:57:24 UTC

Description of problem:
systemd-sysctl unit fails to start on boot for no apparent reason.

$ systemctl --failed
UNIT                   LOAD   ACTIVE SUB    DESCRIPTION
systemd-sysctl.service loaded failed failed Apply Kernel Variables

$ systemctl list-units | grep sysctl
systemd-sysctl.service                                                                      loaded failed failed    Apply Kernel Variables

$ cat /etc/sysctl.conf 
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

$ ls /etc/sysctl.d/
99-sysctl.conf

$ cat /etc/sysctl.d/99-sysctl.conf 
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

I'm not sure what additional information might be relevant, so if anything else is needed, let me know.
My system is fully up to date as of today (Apr 7, 2014).


Version-Release number of selected component (if applicable):
systemd-208-15.fc20.x86_64


Steps to Reproduce:
1. boot the machine
2. journalctl -b -u systemd-sysctl


Actual results:
systemd fails to start the service.


Expected results:
systemd starts the service without any errors.

Comment 1 Zbigniew Jędrzejewski-Szmek 2014-04-07 13:28:42 UTC

Does 'journalctl -b -u systemd-sysctl' actually say anything?

Can you run /usr/lib/systemd/systemd-sysctl by hand from the commandline,
and post the output?

Comment 2 MaxiPunkt 2014-04-07 17:30:23 UTC

Same problem here.

# journalctl -b

[snip out some non-relevant lines]

Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '524288' to '/proc/sys/fs/inotify/max_user_watches': Permission denied
Apr 07 18:15:27 max-desktop.fc20 systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Failed to start Apply Kernel Variables.
Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Unit systemd-sysctl.service entered failed state.
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:4): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="sysrq" dev="proc" ino=9397 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:5): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=9398 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:6): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=9402 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:7): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=9403 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:8): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=9405 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:9): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=9406 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:10): avc:  denied  { write } for  pid=376 comm="systemd-sysctl" name="max_user_watches" dev="proc" ino=9408 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file


Could this be related to bug #1084829 ?

Comment 3 Zbigniew Jędrzejewski-Szmek 2014-04-07 19:36:35 UTC

Yes, this looks like a duplicate.

Comment 4 Jan Synacek 2014-04-08 06:13:18 UTC

(In reply to Zbigniew Jędrzejewski-Szmek from comment #1)
> Does 'journalctl -b -u systemd-sysctl' actually say anything?

Nothing really useful.

$ journalctl -b -u systemd-sysctl

-- Logs begin at Wed 2013-06-26 08:30:28 CEST, end at Tue 2014-04-08 08:07:54 CEST. --
Apr 07 09:27:58 jsynacek-ntb.hostname systemd[1]: Starting Apply Kernel Variables...
Apr 07 09:27:58 jsynacek-ntb.hostname systemd[1]: Started Apply Kernel Variables.
Apr 07 09:28:00 jsynacek-ntb.hostname systemd[1]: Stopping Apply Kernel Variables...
Apr 07 09:28:00 jsynacek-ntb.hostname systemd[1]: Stopped Apply Kernel Variables.
Apr 07 09:28:04 jsynacek-ntb.hostname systemd[1]: Starting Apply Kernel Variables...
Apr 07 09:28:05 jsynacek-ntb.hostname systemd[1]: systemd-sysctl.service: main process exited, code=exited, stat
Apr 07 09:28:05 jsynacek-ntb.hostname systemd[1]: Failed to start Apply Kernel Variables.
Apr 07 09:28:05 jsynacek-ntb.hostname systemd[1]: Unit systemd-sysctl.service entered failed state.
Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: Starting Apply Kernel Variables...
Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: systemd-sysctl.service: main process exited, code=exited, stat
Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: Failed to start Apply Kernel Variables.
Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: Unit systemd-sysctl.service entered failed state.

> Can you run /usr/lib/systemd/systemd-sysctl by hand from the commandline,
> and post the output?

As an ordinary user:

$ /usr/lib/systemd/systemd-sysctl
Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-ip6tables': Permission denied
Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-iptables': Permission denied
Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-arptables': Permission denied
Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied
Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied
Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied
Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied
Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied
Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied
Failed to write '1048576' to '/proc/sys/fs/aio-max-nr': Permission denied

As root:

# /usr/lib/systemd/systemd-sysctl
# echo $?
0

Comment 5 Sitsofe Wheeler 2014-04-08 10:45:39 UTC

This is probably against the wrong package as on my system I see the following too:

Apr 08 09:57:37 eject kernel: type=1400 audit(1396947457.285:4): avc:  denied  { write } for  pid=272 comm="systemd-sysctl" name="sysrq" dev="proc" ino=1529 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
Apr 08 09:57:37 eject kernel: type=1400 audit(1396947457.285:5): avc:  denied  { write } for  pid=272 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=1530 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
[...]

i.e. this looks like an selinux/boot enviroment problem. This has happened on three machines for me just after these packages had been updated:
    Updated dracut-034-64.git20131205.fc20.1.x86_64                @updates
    Update         037-10.git20140402.fc20.x86_64                  @updates
    Updated dracut-config-generic-034-64.git20131205.fc20.1.x86_64 @updates
    Update                        037-10.git20140402.fc20.x86_64   @updates
    Erase   kernel-3.12.5-302.fc20.x86_64                          @updates
    Install kernel-3.13.8-200.fc20.x86_64                          @updates
    Updated selinux-policy-3.12.1-127.fc20.noarch                  @updates
    Update                 3.12.1-135.fc20.noarch                  @updates

Comment 6 Sitsofe Wheeler 2014-04-08 10:52:17 UTC

mgrepl:
Help! Running
systemctl restart systemd-sysctl.service
generates avc denials. Any ideas?

Comment 7 Christian Stadelmann 2014-04-08 16:18:03 UTC

On 3rd of April I upgraded these packages:
kernel{,devel,doc,headers,modules-extra,tools,tools-libs} from 3.13.7-200 to 3.13.8-200.fc20
dracut{,config-rescue,fips,fips-aesni,network} from 034-64.git20131205.fc20.1 to 037-10.git20140402.fc20
selinux-policy{,devel,targeted} from 3.12.1-135.fc20 to 3.12.1-149.fc20

Since then I am getting this error message on boot right after mounting the root partition and initializing SELinux.
I can confirm those avc denials.

Seems to me like an issue in the selinux-policy(-targeted) package.

Comment 8 Miroslav Grepl 2014-04-08 16:52:40 UTC


*** This bug has been marked as a duplicate of bug 1084829 ***

Note You need to log in before you can comment on or make changes to this bug.