SELinux is preventing systemd-tmpfile from using the sys_resource capability.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,
Running Fedora 31 and SELinux still in permissive mode I got


SELinux is preventing systemd-tmpfile from using the sys_resource capability.
 
 *****  Plugin sys_resource (91.4 confidence) suggests   **********************
 
 If you do not want processes to require capabilities to use up all the system resources on your syste>
 Then you need to diagnose why your system is running out of system resources and fix the problem.
 
 According to /usr/include/linux/capability.h, sys_resource is required to:
 
 /* Override resource limits. Set resource limits. */
 /* Override quota limits. */
 /* Override reserved space on ext2 filesystem */
 /* Modify data journaling mode on ext3 filesystem (uses journaling
    resources) */
 /* NOTE: ext2 honors fsuid when checking for resource overrides, so
    you can override using fsuid too */
 /* Override size restrictions on IPC message queues */
 /* Allow more than 64hz interrupts from the real-time clock */
 /* Override max number of consoles on console allocation */
 /* Override max number of keymaps */
 
 Do
 fix the cause of the SYS_RESOURCE on your system.
 
 *****  Plugin catchall (9.59 confidence) suggests   **************************
 
 If you believe that systemd-tmpfile should have the sys_resource capability by default.
 Then you should report this as a bug.
 You can generate a local policy module to allow this access.
 Do
 allow this access for now by executing:
 # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile
 # semodule -X 300 -i my-systemdtmpfile.pp


I also see

type=AVC msg=audit(1569414241.452:321): avc:  denied  { sys_resource } for  pid=17409 comm="systemd-tmpfile" capability=24  
                    scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1569414241.452:322): avc:  denied  { setrlimit } for  pid=17409 comm="systemd-tmpfile" 
                    scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1



I have to admit I don't know how to judge this. Before I do anything here I like to understand.



-- 
Manfred

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux