On 12/22/19 10:15 AM, Manfred Lotz wrote:
> Hi there,
> Running Fedora 31 and SELinux still in permissive mode I got
>
Hi,
What is the version of selinux-policy package installed on your system?
# rpm -q selinux-policy
You can also update selinux-policy package:
# dnf update selinux-policy
"setrlimit" permission should be already allowed in F31 selinux-policy
package. (selinux-policy-3.14.4-37.fc31.noarch +)
Could you please update the package and try to reproduce your issue again?
Thanks,
Lukas.
>
> SELinux is preventing systemd-tmpfile from using the sys_resource capability.
>
> ***** Plugin sys_resource (91.4 confidence) suggests **********************
>
> If you do not want processes to require capabilities to use up all the system resources on your syste>
> Then you need to diagnose why your system is running out of system resources and fix the problem.
>
> According to /usr/include/linux/capability.h, sys_resource is required to:
>
> /* Override resource limits. Set resource limits. */
> /* Override quota limits. */
> /* Override reserved space on ext2 filesystem */
> /* Modify data journaling mode on ext3 filesystem (uses journaling
> resources) */
> /* NOTE: ext2 honors fsuid when checking for resource overrides, so
> you can override using fsuid too */
> /* Override size restrictions on IPC message queues */
> /* Allow more than 64hz interrupts from the real-time clock */
> /* Override max number of consoles on console allocation */
> /* Override max number of keymaps */
>
> Do
> fix the cause of the SYS_RESOURCE on your system.
>
> ***** Plugin catchall (9.59 confidence) suggests **************************
>
> If you believe that systemd-tmpfile should have the sys_resource capability by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile
> # semodule -X 300 -i my-systemdtmpfile.pp
>
>
> I also see
>
> type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409 comm="systemd-tmpfile" capability=24
> scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
> type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409 comm="systemd-tmpfile"
> scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
>
>
>
> I have to admit I don't know how to judge this. Before I do anything here I like to understand.
>
>
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
