Bug 2350683 - SELinux denying systemd write access to `memory` when `cgroup_disable=pressure`
Summary: SELinux denying systemd write access to `memory` when `cgroup_disable=pressure`
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 41
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-03-07 19:06 UTC by shygosh
Modified: 2025-04-17 14:14 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-41.36-1.fc41
Clone Of:
Environment:
Last Closed: 2025-04-13 01:39:58 UTC
Type: ---
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2594 0 None Draft Kernel psi 2025-03-11 08:40:23 UTC
Red Hat Issue Tracker FC-1507 0 None None None 2025-03-11 08:52:08 UTC

Description shygosh 2025-03-07 19:06:59 UTC 
[   15.058248] audit: type=1400 audit(1740901413.716:4): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
[   15.501036] audit: type=1400 audit(1740901414.159:5): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
[   15.575607] audit: type=1400 audit(1740901414.234:6): avc:  denied  { write } for  pid=1049 comm="systemd-journal" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

Reproducible: Always

Steps to Reproduce:
1. cgroup_disable=pressure
2. update grub
3. reboot
Comment 1 Zdenek Pytela 2025-03-11 08:40:24 UTC 
Hello,

Can you test this coprbuild?

https://github.com/fedora-selinux/selinux-policy/pull/2594
checks -> build -> fedora-rawhide
Comment 2 shygosh 2025-03-16 18:23:06 UTC 
(In reply to Zdenek Pytela from comment #1)
> Hello,
> 
> Can you test this coprbuild?
> 
> https://github.com/fedora-selinux/selinux-policy/pull/2594
> checks -> build -> fedora-rawhide

Can't help. Currently on F41.
Comment 3 Zdenek Pytela 2025-03-17 15:29:06 UTC 
No problem, let's have a regular build.
Comment 4 shygosh 2025-03-19 15:40:51 UTC 
I checked several days ago Github build job for F41 failed and PR is already merged. Seems like it has been resolved. Besides, I switched to archlinux just a while ago, too bad.
Comment 5 Fedora Update System 2025-03-31 13:58:03 UTC 
FEDORA-2025-73a887d073 (selinux-policy-41.35-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-73a887d073
Comment 6 Fedora Update System 2025-04-01 03:11:23 UTC 
FEDORA-2025-73a887d073 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-73a887d073`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-73a887d073

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-04-09 01:25:47 UTC 
FEDORA-2025-c6d8815d3a has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-c6d8815d3a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-c6d8815d3a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-04-13 01:39:58 UTC 
FEDORA-2025-c6d8815d3a (selinux-policy-41.36-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 shygosh 2025-04-17 14:14:19 UTC 
So far works fine on F41. Thx.
Note You need to log in before you can comment on or make changes to this bug.