From b3bb98348ad1aa70e92f0c562e08a41fe8a97ebd Mon Sep 17 00:00:00 2001 From: Dave Sugar Date: Mon, 29 Nov 2021 10:40:56 -0500 Subject: [PATCH] systemd: resolve error with systemd-sysctl Seeing the following errors (based on what is in /etc/sysctl.d/*) Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/kptr_restrict': Operation not permitted Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/dmesg_restrict': Operation not permitted Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/yama/ptrace_scope': Operation not permitted Nov 30 13:38:07 localhost systemd: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE I saw the following denials: type=AVC msg=audit(1638199548.807:52): avc: denied { sys_admin } for pid=1038 comm="systemd-sysctl" capability=21 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1638305206.666:347): avc: denied { sys_ptrace } for pid=1359 comm="systemd-sysctl" capability=19 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0 Signed-off-by: Dave Sugar --- policy/modules/system/systemd.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 1bf65a01b..e704a1576 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1288,7 +1288,10 @@ systemd_log_parse_environment(systemd_sessions_t) # sysctl local policy # -dontaudit systemd_sysctl_t self:capability sys_ptrace; +# sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict +# sys_ptrace for kernel.yama.ptrace_scope +allow systemd_sysctl_t self:capability { sys_admin sys_ptrace }; +dontaudit systemd_sysctl_t self:capability net_admin; kernel_read_kernel_sysctls(systemd_sysctl_t) kernel_request_load_module(systemd_sysctl_t)