Hide Forgot
Description of problem: With kernel kernel-3.10.0-693.2.2.el7.x86_64, it is required to set: sysctl user.max_namespaces=15000 (or any value greater than 0, the default). Attempting to do so via /etc/sysctl or /etc/sysctl.d/file.conf does not work, as systemd-sysctl does not have the correct permissions: Oct 05 22:25:40 ip-10-0-0-177.ec2.internal kernel: type=1400 audit(1507242340.610:4): avc: denied { sys_resource } for pid=351 comm="systemd-sysctl" capability=24 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability Oct 05 22:25:40 ip-10-0-0-177.ec2.internal systemd-sysctl[351]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied Oct 05 22:25:42 ip-10-0-0-177.ec2.internal systemd-sysctl[629]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied Oct 05 22:25:42 ip-10-0-0-177.ec2.internal systemd-sysctl[755]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied Version-Release number of selected component (if applicable): [ec2-user@ip-10-0-0-177 ~]$ rpm -q kernel selinux-policy kernel-3.10.0-693.2.2.el7.x86_64 selinux-policy-3.13.1-166.el7_4.4.noarch How reproducible: Very. Steps to Reproduce: 1. On RHEL7 instance with latest packages, including kernel & selinux-policy above. 2. echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf 3. Reboot 4. Look at journald logs Actual results: sysctl is not updated Expected results: sysctl is updated to the value in /etc/sysctl.conf Additional info:
Following SELinux denial appeared in enforcing mode: ---- type=PROCTITLE msg=audit(10/06/2017 05:24:37.069:27) : proctitle=/lib/systemd/systemd-sysctl type=PATH msg=audit(10/06/2017 05:24:37.069:27) : item=1 name=/proc/sys/user/max_user_namespaces inode=11326 dev=00:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=NORMAL type=PATH msg=audit(10/06/2017 05:24:37.069:27) : item=0 name=/proc/sys/user/ inode=11325 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=PARENT type=CWD msg=audit(10/06/2017 05:24:37.069:27) : cwd=/etc/sysconfig/network-scripts type=SYSCALL msg=audit(10/06/2017 05:24:37.069:27) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x55bed92a4230 a1=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a2=0666 a3=0x24 items=2 ppid=563 pid=741 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sysctl exe=/usr/lib/systemd/systemd-sysctl subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(10/06/2017 05:24:37.069:27) : avc: denied { sys_resource } for pid=741 comm=systemd-sysctl capability=sys_resource scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability ----
Following SELinux denial appeared in permissive mode: ---- type=PROCTITLE msg=audit(10/06/2017 05:28:53.935:25) : proctitle=/lib/systemd/systemd-sysctl type=PATH msg=audit(10/06/2017 05:28:53.935:25) : item=1 name=/proc/sys/user/max_user_namespaces inode=11417 dev=00:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=NORMAL type=PATH msg=audit(10/06/2017 05:28:53.935:25) : item=0 name=/proc/sys/user/ inode=11416 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=PARENT type=CWD msg=audit(10/06/2017 05:28:53.935:25) : cwd=/etc/sysconfig/network-scripts type=SYSCALL msg=audit(10/06/2017 05:28:53.935:25) : arch=x86_64 syscall=open success=yes exit=4 a0=0x55a4270d9230 a1=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a2=0666 a3=0x24 items=2 ppid=562 pid=621 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sysctl exe=/usr/lib/systemd/systemd-sysctl subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) type=AVC msg=audit(10/06/2017 05:28:53.935:25) : avc: denied { sys_resource } for pid=621 comm=systemd-sysctl capability=sys_resource scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability ----
I can't access the knowledge base since I am not a subscriber, but for me, creating the following SELinux module worked: #============= systemd_sysctl_t ============== allow systemd_sysctl_t self:capability sys_resource;
Still occurs in RHEL 7.5 beta: kernel-3.10.0-830.el7.x86_64 selinux-policy-3.13.1-183.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111