1086047 – systemd-sysctl - Permission denied

Bug 1086047 - systemd-sysctl - Permission denied

Summary: systemd-sysctl - Permission denied

Keywords:
Status:	CLOSED DUPLICATE of bug 1084829
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-10 02:18 UTC by poma
Modified:	2014-04-10 08:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-04-10 08:30:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description poma 2014-04-10 02:18:44 UTC

# systemctl restart systemd-sysctl
Job for systemd-sysctl.service failed. ...

# ausearch -m avc -c systemd-sysctl
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:822): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc418190 a1=80241 a2=1b6 a3=22 items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:822): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="core_uses_pid" dev="proc" ino=1213 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:823): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc40f110 a1=80241 a2=1b6 a3=e items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:823): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="rp_filter" dev="proc" ino=1217 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:824): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc40f110 a1=80241 a2=1b6 a3=e items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:824): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="accept_source_route" dev="proc" ino=1218 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:825): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc418190 a1=80241 a2=1b6 a3=e items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:825): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="protected_hardlinks" dev="proc" ino=1220 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:826): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc418190 a1=80241 a2=1b6 a3=e items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:826): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="protected_symlinks" dev="proc" ino=1221 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:827): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc418190 a1=80241 a2=1b6 a3=e items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:827): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="max_user_watches" dev="proc" ino=1223 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:828): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc418190 a1=80241 a2=1b6 a3=e items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:828): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="ip_forward" dev="proc" ino=1224 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:829): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc40d0f0 a1=80241 a2=1b6 a3=1 items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:829): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="sysrq" dev="proc" ino=1225 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Apr 10 04:04:32 2014
type=SYSCALL msg=audit(1397095472.690:830): arch=c000003e syscall=2 success=no exit=-13 a0=7fe3fc40d0f0 a1=80241 a2=1b6 a3=3 items=0 ppid=1 pid=4746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
type=AVC msg=audit(1397095472.690:830): avc:  denied  { write } for  pid=4746 comm="systemd-sysctl" name="aio-max-nr" dev="proc" ino=1226 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

Comment 1 poma 2014-04-10 02:27:44 UTC

# cat systemd-sysctl-aio-max-nr-mypol.te

module systemd-sysctl-aio-max-nr-mypol 1.0;

require {
	type proc_t;
	type systemd_sysctl_t;
	class file write;
}

#============= systemd_sysctl_t ==============
allow systemd_sysctl_t proc_t:file write;

Comment 2 Miroslav Grepl 2014-04-10 08:30:18 UTC


*** This bug has been marked as a duplicate of bug 1084829 ***

Note You need to log in before you can comment on or make changes to this bug.