Fedora 41 systemd selinux denial

Hello,

I had this message about selinux denying access to systemd which has been persisting for over a month. I believe it was caused by a dnf upgrade. I wonder if this denial is trivial and can be ignored?

sudo dmesg | grep -i avc
[   15.058248] audit: type=1400 audit(1740901413.716:4): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
[   15.501036] audit: type=1400 audit(1740901414.159:5): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
[   15.575607] audit: type=1400 audit(1740901414.234:6): avc:  denied  { write } for  pid=1049 comm="systemd-journal" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
SELinux is preventing systemd from write access on the file memory.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed write access on the memory file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:proc_t:s0
Target Objects                memory [ file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.33-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.33-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.13.5-200.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Feb 27 15:07:31 UTC 2025
                              x86_64
Alert Count                   15
First Seen                    2025-02-27 01:59:27 WIB
Last Seen                     2025-03-02 14:43:35 WIB
Local ID                      b5016a15-2ce1-4bac-9492-8ddd5a0fcf89

Raw Audit Messages
type=AVC msg=audit(1740901415.904:146): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0


Hash: systemd,init_t,proc_t,file,write

It seems odd to have systemd trying to access /proc/memory.

I think it is a good idea to raise a bug ticket against systemd with the info you have so that the right people get to look into this.

See https://docs.kernel.org/accounting/psi.html for what this is about.

I would suggest you report this to https://bugzilla.redhat.com/ under the systemd or selinux category. To report that to systemd, because the systemd project should explain why they need the write access to /proc/pressure/memory and to selinux as that is where it can be fixed.

Thank you. Apparently it was caused by cgroup_disable=pressure kernel parameter.

You added that kernel parameter why?

I disabled it along with memory. I just don’t need these and cgroup is expensive.

Systemd depends on cgroups to do its work.

What I do not know is how well systemd handles the lack of that cgroup.

You could ask on the systemd developer mailing list if you wanted to know.

It is now tracked in 2350683 – SELinux denying systemd write access to `memory` when `cgroup_disable=pressure`