Hi there, Running Fedora 31 and SELinux still in permissive mode I got
SELinux is preventing systemd-tmpfile from using the sys_resource capability.
***** Plugin sys_resource (91.4 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources on your syste> Then you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */
Do fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that systemd-tmpfile should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile # semodule -X 300 -i my-systemdtmpfile.pp
I also see
type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409 comm="systemd-tmpfile" capability=24 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409 comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
I have to admit I don't know how to judge this. Before I do anything here I like to understand.
On 12/22/19 10:15 AM, Manfred Lotz wrote:
Hi there, Running Fedora 31 and SELinux still in permissive mode I got
Hi,
What is the version of selinux-policy package installed on your system?
# rpm -q selinux-policy
You can also update selinux-policy package:
# dnf update selinux-policy
"setrlimit" permission should be already allowed in F31 selinux-policy package. (selinux-policy-3.14.4-37.fc31.noarch +)
Could you please update the package and try to reproduce your issue again?
Thanks, Lukas.
SELinux is preventing systemd-tmpfile from using the sys_resource capability.
***** Plugin sys_resource (91.4 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources on your syste> Then you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */
Do fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that systemd-tmpfile should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile # semodule -X 300 -i my-systemdtmpfile.pp
I also see
type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409 comm="systemd-tmpfile" capability=24 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409 comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
I have to admit I don't know how to judge this. Before I do anything here I like to understand.
On Sat, 4 Jan 2020 09:51:56 +0100 Lukas Vrabec lvrabec@redhat.com wrote:
On 12/22/19 10:15 AM, Manfred Lotz wrote:
Hi there, Running Fedora 31 and SELinux still in permissive mode I got
Hi,
What is the version of selinux-policy package installed on your system?
# rpm -q selinux-policy
selinux-policy-3.14.4-43.fc31 installed on December 13.
You can also update selinux-policy package:
# dnf update selinux-policy
"setrlimit" permission should be already allowed in F31 selinux-policy package. (selinux-policy-3.14.4-37.fc31.noarch +)
Could you please update the package and try to reproduce your issue again?
Funny is that directly after the last reboot SELinux is preventing systemctl from using the sys_resource capability.
showed up again.
sealeart shows:
type=AVC msg=audit(1577999374.574:304): avc: denied { sys_resource } for pid=1930 comm="systemctl" capability=24 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=capability permissive=1
After that it didn't show again.
selinux@lists.fedoraproject.org
-
Lukas Vrabec -
Manfred Lotz