systemd: resolve error with systemd-sysctl

Seeing the following errors (based on what is in /etc/sysctl.d/*) Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/kptr_restrict': Operation not permitted Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/dmesg_restrict': Operation not permitted Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/yama/ptrace_scope': Operation not permitted Nov 30 13:38:07 localhost systemd: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE I saw the following denials: type=AVC msg=audit(1638199548.807:52): avc: denied { sys_admin } for pid=1038 comm="systemd-sysctl" capability=21 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1638305206.666:347): avc: denied { sys_ptrace } for pid=1359 comm="systemd-sysctl" capability=19 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2021-11-29 10:40:56 -05:00 · 2021-11-29 10:40:56 -05:00 · b3bb98348a
parent 9788933467
commit b3bb98348a
1 changed files with 4 additions and 1 deletions
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -1288,7 +1288,10 @@ systemd_log_parse_environment(systemd_sessions_t)
 # sysctl local policy
 #

-dontaudit systemd_sysctl_t self:capability sys_ptrace;
+# sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict
+# sys_ptrace for kernel.yama.ptrace_scope
+allow systemd_sysctl_t self:capability { sys_admin sys_ptrace };
+dontaudit systemd_sysctl_t self:capability net_admin;

 kernel_read_kernel_sysctls(systemd_sysctl_t)
 kernel_request_load_module(systemd_sysctl_t)