Filed a bug report with a simple reproducer that doesn't require any updated package: https://bugzilla.redhat.com/show_bug.cgi?id=1253926 It is strange though. I am sure this used to work. It must be some other update that triggered this change in behavior.
This comes from the fact that elfutils-libs now pulls in default-yama-scope which installs /usr/lib/sysctl.d/10-default-yama-scope.conf which systemd-sysctl tries to execute. But systemd-sysctl is blocked by selinux from setting that sysctl. I assume this was only tested with selinux disabled. Hohum. Not good. With selinux enabled you can easily reproduce: $ systemctl start systemd-sysctl.service Job for systemd-sysctl.service failed. See "systemctl status systemd-sysctl.service" and "journalctl -xe" for details. $ systemctl status systemd-sysctl.service â systemd-sysctl.service - Apply Kernel Variables Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Sat 2015-08-15 15:59:19 CEST; 35min ago Docs: man:systemd-sysctl.service(8) man:sysctl.d(5) Process: 728 ExecStart=/usr/lib/systemd/systemd-sysctl (code=exited, status=1/FAILURE) Main PID: 728 (code=exited, status=1/FAILURE) Aug 15 15:59:19 blokker systemd: Starting Apply Kernel Variables... Aug 15 15:59:19 blokker systemd: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE Aug 15 15:59:19 blokker systemd: Failed to start Apply Kernel Variables. Aug 15 15:59:19 blokker systemd: Unit systemd-sysctl.service entered failed state. Aug 15 15:59:19 blokker systemd: systemd-sysctl.service failed. The logs also show a workaround: Aug 15 16:36:11 blokker python: SELinux is preventing /usr/lib/systemd/systemd-sysctl from using the sys_ptrace capability. * Plugin catchall (100. confidence) suggests ****** If you believe that systemd-sysctl should have the sys_ptrace capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-sysctl /var/log/audit/audit.log | audit2allow -M mypol
be good to get this fixed in the selinux policy for systemd_sysctl_exec_t. But before that is fixed it might be good to comment out the setting in the default-yama-scope
The upgradepath test FAILED because the matching f23 update hasn't been approved yet: https://admin.fedoraproject.org/updates/FEDORA-2015-13063/elfutils-0.163-3.fc23 If people could test f23 and supply karma that would be appreciated. Once it goes into f23 it can also go into f22.