1253969 – Failed to start Apply Kernel Variables.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1253969 - Failed to start Apply Kernel Variables.

Summary: Failed to start Apply Kernel Variables.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-16 07:11 UTC by poma
Modified:	2015-08-28 13:32 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-22 10:21:08 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description poma 2015-08-16 07:11:16 UTC

Description of problem:
start request repeated too quickly for systemd-sysctl.service

Version-Release number of selected component (if applicable):

/usr/lib/systemd/systemd --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
How reproducible:


Steps to Reproduce:
1.Waking up early in the morning
2.Breakfast
3.Powering machine

Actual results:
Another hot summer day

Expected results:
Swimming at the beach with palm trees

Additional info:
You Wish!

Comment 1 poma 2015-08-16 07:15:03 UTC

[    1.250663] playa systemd[1]: Starting Apply Kernel Variables...
[    1.268629] playa systemd[1]: Started Apply Kernel Variables.
[    2.490439] playa systemd[1]: Stopped Apply Kernel Variables.
[    2.490558] playa systemd[1]: Stopping Apply Kernel Variables...
[   10.517425] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
[   10.794209] playa systemd[1]: Failed to start Apply Kernel Variables.
[   10.794384] playa systemd[1]: Unit systemd-sysctl.service entered failed state.
[   10.794524] playa systemd[1]: systemd-sysctl.service failed.
[   14.296470] playa systemd[1]: Starting Apply Kernel Variables...
[   14.304153] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
[   14.304390] playa systemd[1]: Failed to start Apply Kernel Variables.
[   14.304601] playa systemd[1]: Unit systemd-sysctl.service entered failed state.
[   14.304809] playa systemd[1]: systemd-sysctl.service failed.
[   14.458713] playa systemd[1]: Starting Apply Kernel Variables...
[   14.572132] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
[   14.583726] playa systemd[1]: Failed to start Apply Kernel Variables.
[   14.584284] playa systemd[1]: Unit systemd-sysctl.service entered failed state.
[   14.584807] playa systemd[1]: systemd-sysctl.service failed.
[   15.344076] playa systemd[1]: Starting Apply Kernel Variables...
[   15.346855] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
[   15.347143] playa systemd[1]: Failed to start Apply Kernel Variables.
[   15.347330] playa systemd[1]: Unit systemd-sysctl.service entered failed state.
[   15.347507] playa systemd[1]: systemd-sysctl.service failed.
[   15.366091] playa systemd[1]: Starting Apply Kernel Variables...
[   15.461440] playa systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
[   15.461637] playa systemd[1]: Failed to start Apply Kernel Variables.
[   15.461817] playa systemd[1]: Unit systemd-sysctl.service entered failed state.
[   15.461985] playa systemd[1]: systemd-sysctl.service failed.
[   15.463020] playa systemd[1]: start request repeated too quickly for systemd-sysctl.service

Comment 2 Kim Bisgaard 2015-08-16 11:46:53 UTC

Related to package: elfutils-default-yama-scope-0.163-3.fc23.noarch and selinux-policy-3.13.1-140.fc23.noarch

And this shows up in /var/log/messages:
Aug 16 13:24:03 kim systemd: Starting Apply Kernel Variables...
Aug 16 13:24:03 kim audit: AVC avc:  denied  { sys_ptrace } for  pid=3478 comm="systemd-sysctl" capability=19  scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0
Aug 16 13:24:03 kim systemd-sysctl: Failed to write '0' to 'kernel/yama/ptrace_scope': Operation not permitted
Aug 16 13:24:03 kim audit: SYSCALL arch=c000003e syscall=1 success=no exit=-1 a0=4 a1=7fc19b07b000 a2=2 a3=22 items=0 ppid=1 pid=3478 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null)
Aug 16 13:24:03 kim audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-sysctl"
Aug 16 13:24:03 kim dbus[740]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Aug 16 13:24:03 kim systemd: systemd-sysctl.service: Main process exited, code=exited, status=1/FAILURE
Aug 16 13:24:03 kim systemd: Failed to start Apply Kernel Variables.
Aug 16 13:24:03 kim systemd: systemd-sysctl.service: Unit entered failed state.
Aug 16 13:24:03 kim systemd: systemd-sysctl.service: Failed with result 'exit-code'.
Aug 16 13:24:03 kim audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-sysctl comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 16 13:24:06 kim dbus[740]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Aug 16 13:24:06 kim setroubleshoot: Deleting alert 0872ae0f-f266-480e-9734-4941a9208070, it is allowed in current policy
Aug 16 13:24:09 kim org.fedoraproject.Setroubleshootd: 'list' object has no attribute 'split'
Aug 16 13:24:09 kim setroubleshoot: Plugin Exception restorecon_source
Aug 16 13:24:09 kim setroubleshoot: SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the sys_ptrace capability. For complete SELinux messages. run sealert -l ace4aee9-3498-4585-b78d-da2617c7d638
Aug 16 13:24:09 kim python: SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the sys_ptrace capability.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that systemd-sysctl should have the sys_ptrace capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep systemd-sysctl /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Aug 16 13:25:01 kim audit: USER_ACCT pid=3568 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="pcp" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 16 13:25:01 kim audit: CRED_ACQ pid=3568 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="pcp" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Aug 16 13:25:01 kim audit: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Aug 16 13:25:01 kim audit: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 3 poma 2015-08-17 09:42:57 UTC

Bingo

SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the sys_ptrace capability.

avc:  denied  { sys_ptrace } for  pid=4708 comm="systemd-sysctl" capability=19  scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0

Policy RPM                    selinux-policy-3.13.1-128.8.fc22.noarch
Policy Type                   targeted

Comment 4 poma 2015-08-17 14:23:18 UTC

Also in Rawhide, tested with:
https://kojipkgs.fedoraproject.org/work/tasks/9425/10719425/
Fedora-Live-Xfce-x86_64-rawhide-20150816.iso

Comment 5 poma 2015-08-17 15:48:07 UTC

And Fedora 23, tested with Fedora-Live-Xfce-x86_64-23-20150817.iso

sealert -l dd01b44f-f4a2-4f5b-9d86-7b1361efc28b
SELinux is preventing systemd-sysctl from using the sys_ptrace capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd-sysctl should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-sysctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:systemd_sysctl_t:s0
Target Context                system_u:system_r:systemd_sysctl_t:s0
Target Objects                Unknown [ capability ]
Source                        systemd-sysctl
Source Path                   systemd-sysctl
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-141.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.2.0-0.rc5.git0.2.fc23.x86_64 #1
                              SMP Tue Aug 4 01:37:40 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-08-17 11:31:35 EDT
Last Seen                     2015-08-17 11:31:35 EDT
Local ID                      dd01b44f-f4a2-4f5b-9d86-7b1361efc28b

Raw Audit Messages
type=AVC msg=audit(1439825495.761:1744): avc:  denied  { sys_ptrace } for  pid=7493 comm="systemd-sysctl" capability=19  scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0


Hash: systemd-sysctl,systemd_sysctl_t,systemd_sysctl_t,capability,sys_ptrace


Is that all?

Comment 6 poma 2015-08-17 15:48:55 UTC

Yep!

Comment 7 Michael Chapman 2015-08-21 16:50:13 UTC

Duplicate of bug 1253926 ?

Comment 8 poma 2015-08-22 10:21:08 UTC

Possible

*** This bug has been marked as a duplicate of bug 1253926 ***

Comment 9 poma 2015-08-28 13:32:13 UTC

selinux-policy-targeted-3.13.1-128.12.fc22.noarch
- Allow systemd-sysctl cap. sys_ptrace  BZ(1253926
OK

Note You need to log in before you can comment on or make changes to this bug.