CentOS Bug Tracker - CentOS-7
View Issue Details
0014096CentOS-7systemdpublic2017-11-07 10:212017-12-06 22:42
Reporterolifre 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformServerOSCentOSOS Version7.4.1708
Product Version 
Target VersionFixed in Version 
abrt_hash
URL
Summary0014096: systemd-sysctl fails to set sys_resource entries if SELinux is active
DescriptionTrying to set user.max_user_namespaces via sysctl.conf, systemd-sysctl fails if SELinux is active.
Steps To Reproduceecho user.max_user_namespaces = 15000 >> /etc/sysctl.conf
systemctl restart systemd-sysctl

You will note that systemd-sysctl fails to start (also when rebooting), and see the syslog messages shown below.
Additional InformationSyslog shows:
systemd-sysctl[2674]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied
systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE

Creating a new SELinux module:

#============= systemd_sysctl_t ==============
allow systemd_sysctl_t self:capability sys_resource;

Fixes the problem.
TagsNo tags attached.
Attached Files

Notes
(0030714)
olifre   
2017-12-06 22:42   
There's the associated RedHat bug report here:
https://bugzilla.redhat.com/show_bug.cgi?id=1499046

Issue History
2017-11-07 10:21olifreNew Issue
2017-12-06 22:42olifreNote Added: 0030714