Description of problem: Some sysctl settings trigger the loading of a module. Currently this fails. E.g. adding /etc/sysctl.d/90-codel.conf: net.core.default_qdisc=fq_codel fails with: Oct 17 12:20:54 fedora21-amd64 kernel: audit: type=1400 audit(1413562854.103:4): avc: denied { module_request } for pid=492 comm="systemd-sysctl" kmod="sch_fq_codel" scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Users should be able to configure various sysctl settings without the additional hassle of manually loading modules or changing the policy. Version-Release number of selected component (if applicable): selinux-policy.noarch 3.13.1-85.fc21 @System selinux-policy-targeted.noarch 3.13.1-85.fc21 @System
# sesearch -s systemd_sysctl_t -t kernel_t -c system -p module_request -A -C Found 1 semantic av rules: DT allow domain kernel_t : system module_request ; [ domain_kernel_load_modules ] # If you enable the boolean permanently then the AVC should not appear anymore. # setsebool -P domain_kernel_load_modules on # semanage boolean -l | grep domain_kernel_load_modules domain_kernel_load_modules (off , off) Allow all domains to have the kernel load modules #
This is a valid request. kmod="sch_fq_codel" commit b9fd8ea1762d0764f15fac52d5182d7fafc8919d Author: Miroslav Grepl <mgrepl> Date: Fri Oct 24 12:05:14 2014 +0200 Allow systemd-sysctl to request the kernel to load a module.
selinux-policy-3.13.1-92.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-92.fc21
Package selinux-policy-3.13.1-92.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-92.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13975/selinux-policy-3.13.1-92.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-92.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.