Description of problem: systemd-sysctl unit fails to start on boot for no apparent reason. $ systemctl --failed UNIT LOAD ACTIVE SUB DESCRIPTION systemd-sysctl.service loaded failed failed Apply Kernel Variables $ systemctl list-units | grep sysctl systemd-sysctl.service loaded failed failed Apply Kernel Variables $ cat /etc/sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf. # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file # # For more information, see sysctl.conf(5) and sysctl.d(5). $ ls /etc/sysctl.d/ 99-sysctl.conf $ cat /etc/sysctl.d/99-sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf. # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file # # For more information, see sysctl.conf(5) and sysctl.d(5). I'm not sure what additional information might be relevant, so if anything else is needed, let me know. My system is fully up to date as of today (Apr 7, 2014). Version-Release number of selected component (if applicable): systemd-208-15.fc20.x86_64 Steps to Reproduce: 1. boot the machine 2. journalctl -b -u systemd-sysctl Actual results: systemd fails to start the service. Expected results: systemd starts the service without any errors.
Does 'journalctl -b -u systemd-sysctl' actually say anything? Can you run /usr/lib/systemd/systemd-sysctl by hand from the commandline, and post the output?
Same problem here. # journalctl -b [snip out some non-relevant lines] Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd-sysctl[376]: Failed to write '524288' to '/proc/sys/fs/inotify/max_user_watches': Permission denied Apr 07 18:15:27 max-desktop.fc20 systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Failed to start Apply Kernel Variables. Apr 07 18:15:27 max-desktop.fc20 systemd[1]: Unit systemd-sysctl.service entered failed state. Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:4): avc: denied { write } for pid=376 comm="systemd-sysctl" name="sysrq" dev="proc" ino=9397 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:5): avc: denied { write } for pid=376 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=9398 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:6): avc: denied { write } for pid=376 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=9402 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:7): avc: denied { write } for pid=376 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=9403 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:8): avc: denied { write } for pid=376 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=9405 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:9): avc: denied { write } for pid=376 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=9406 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 07 18:15:27 max-desktop.fc20 kernel: type=1400 audit(1396887327.148:10): avc: denied { write } for pid=376 comm="systemd-sysctl" name="max_user_watches" dev="proc" ino=9408 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Could this be related to bug #1084829 ?
Yes, this looks like a duplicate.
(In reply to Zbigniew Jędrzejewski-Szmek from comment #1) > Does 'journalctl -b -u systemd-sysctl' actually say anything? Nothing really useful. $ journalctl -b -u systemd-sysctl -- Logs begin at Wed 2013-06-26 08:30:28 CEST, end at Tue 2014-04-08 08:07:54 CEST. -- Apr 07 09:27:58 jsynacek-ntb.hostname systemd[1]: Starting Apply Kernel Variables... Apr 07 09:27:58 jsynacek-ntb.hostname systemd[1]: Started Apply Kernel Variables. Apr 07 09:28:00 jsynacek-ntb.hostname systemd[1]: Stopping Apply Kernel Variables... Apr 07 09:28:00 jsynacek-ntb.hostname systemd[1]: Stopped Apply Kernel Variables. Apr 07 09:28:04 jsynacek-ntb.hostname systemd[1]: Starting Apply Kernel Variables... Apr 07 09:28:05 jsynacek-ntb.hostname systemd[1]: systemd-sysctl.service: main process exited, code=exited, stat Apr 07 09:28:05 jsynacek-ntb.hostname systemd[1]: Failed to start Apply Kernel Variables. Apr 07 09:28:05 jsynacek-ntb.hostname systemd[1]: Unit systemd-sysctl.service entered failed state. Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: Starting Apply Kernel Variables... Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: systemd-sysctl.service: main process exited, code=exited, stat Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: Failed to start Apply Kernel Variables. Apr 07 09:28:10 jsynacek-ntb.hostname systemd[1]: Unit systemd-sysctl.service entered failed state. > Can you run /usr/lib/systemd/systemd-sysctl by hand from the commandline, > and post the output? As an ordinary user: $ /usr/lib/systemd/systemd-sysctl Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-ip6tables': Permission denied Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-iptables': Permission denied Failed to write '0' to '/proc/sys/net/bridge/bridge-nf-call-arptables': Permission denied Failed to write '16' to '/proc/sys/kernel/sysrq': Permission denied Failed to write '1' to '/proc/sys/kernel/core_uses_pid': Permission denied Failed to write '1' to '/proc/sys/net/ipv4/conf/default/rp_filter': Permission denied Failed to write '0' to '/proc/sys/net/ipv4/conf/default/accept_source_route': Permission denied Failed to write '1' to '/proc/sys/fs/protected_hardlinks': Permission denied Failed to write '1' to '/proc/sys/fs/protected_symlinks': Permission denied Failed to write '1048576' to '/proc/sys/fs/aio-max-nr': Permission denied As root: # /usr/lib/systemd/systemd-sysctl # echo $? 0
This is probably against the wrong package as on my system I see the following too: Apr 08 09:57:37 eject kernel: type=1400 audit(1396947457.285:4): avc: denied { write } for pid=272 comm="systemd-sysctl" name="sysrq" dev="proc" ino=1529 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Apr 08 09:57:37 eject kernel: type=1400 audit(1396947457.285:5): avc: denied { write } for pid=272 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=1530 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file [...] i.e. this looks like an selinux/boot enviroment problem. This has happened on three machines for me just after these packages had been updated: Updated dracut-034-64.git20131205.fc20.1.x86_64 @updates Update 037-10.git20140402.fc20.x86_64 @updates Updated dracut-config-generic-034-64.git20131205.fc20.1.x86_64 @updates Update 037-10.git20140402.fc20.x86_64 @updates Erase kernel-3.12.5-302.fc20.x86_64 @updates Install kernel-3.13.8-200.fc20.x86_64 @updates Updated selinux-policy-3.12.1-127.fc20.noarch @updates Update 3.12.1-135.fc20.noarch @updates
mgrepl: Help! Running systemctl restart systemd-sysctl.service generates avc denials. Any ideas?
On 3rd of April I upgraded these packages: kernel{,devel,doc,headers,modules-extra,tools,tools-libs} from 3.13.7-200 to 3.13.8-200.fc20 dracut{,config-rescue,fips,fips-aesni,network} from 034-64.git20131205.fc20.1 to 037-10.git20140402.fc20 selinux-policy{,devel,targeted} from 3.12.1-135.fc20 to 3.12.1-149.fc20 Since then I am getting this error message on boot right after mounting the root partition and initializing SELinux. I can confirm those avc denials. Seems to me like an issue in the selinux-policy(-targeted) package.
*** This bug has been marked as a duplicate of bug 1084829 ***