Fedora 41 systemd selinux denial

Ask Fedora
,
1

Hello,

I had this message about selinux denying access to systemd which has been persisting for over a month. I believe it was caused by a dnf upgrade. I wonder if this denial is trivial and can be ignored?

sudo dmesg | grep -i avc
[   15.058248] audit: type=1400 audit(1740901413.716:4): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
[   15.501036] audit: type=1400 audit(1740901414.159:5): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
[   15.575607] audit: type=1400 audit(1740901414.234:6): avc:  denied  { write } for  pid=1049 comm="systemd-journal" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

SELinux is preventing systemd from write access on the file memory.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed write access on the memory file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:proc_t:s0
Target Objects                memory [ file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.33-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.33-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.13.5-200.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Feb 27 15:07:31 UTC 2025
                              x86_64
Alert Count                   15
First Seen                    2025-02-27 01:59:27 WIB
Last Seen                     2025-03-02 14:43:35 WIB
Local ID                      b5016a15-2ce1-4bac-9492-8ddd5a0fcf89

Raw Audit Messages
type=AVC msg=audit(1740901415.904:146): avc:  denied  { write } for  pid=1 comm="systemd" name="memory" dev="proc" ino=4026532091 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0


Hash: systemd,init_t,proc_t,file,write

Screenshot_20250307_165805
Screenshot_20250307_165805609×205 17.9 KB

2

It seems odd to have systemd trying to access /proc/memory.

I think it is a good idea to raise a bug ticket against systemd with the info you have so that the right people get to look into this.

3

See https://docs.kernel.org/accounting/psi.html for what this is about.

I would suggest you report this to https://bugzilla.redhat.com/ under the systemd or selinux category. To report that to systemd, because the systemd project should explain why they need the write access to /proc/pressure/memory and to selinux as that is where it can be fixed.

4

Thank you. Apparently it was caused by cgroup_disable=pressure kernel parameter.

5

You added that kernel parameter why?

6

I disabled it along with memory. I just don’t need these and cgroup is expensive.

7

Systemd depends on cgroups to do its work.

What I do not know is how well systemd handles the lack of that cgroup.

You could ask on the systemd developer mailing list if you wanted to know.

8

It is now tracked in 2350683 – SELinux denying systemd write access to `memory` when `cgroup_disable=pressure`