Re: SELinux is preventing systemd-tmpfile from using the sys_resource capability.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/22/19 10:15 AM, Manfred Lotz wrote:
> Hi there,
> Running Fedora 31 and SELinux still in permissive mode I got
> 

Hi,

What is the version of selinux-policy package installed on your system?

# rpm -q selinux-policy

You can also update selinux-policy package:

# dnf update selinux-policy

"setrlimit" permission should be already allowed in F31 selinux-policy
package. (selinux-policy-3.14.4-37.fc31.noarch +)

Could you please update the package and try to reproduce your issue again?

Thanks,
Lukas.

> 
> SELinux is preventing systemd-tmpfile from using the sys_resource capability.
>  
>  *****  Plugin sys_resource (91.4 confidence) suggests   **********************
>  
>  If you do not want processes to require capabilities to use up all the system resources on your syste>
>  Then you need to diagnose why your system is running out of system resources and fix the problem.
>  
>  According to /usr/include/linux/capability.h, sys_resource is required to:
>  
>  /* Override resource limits. Set resource limits. */
>  /* Override quota limits. */
>  /* Override reserved space on ext2 filesystem */
>  /* Modify data journaling mode on ext3 filesystem (uses journaling
>     resources) */
>  /* NOTE: ext2 honors fsuid when checking for resource overrides, so
>     you can override using fsuid too */
>  /* Override size restrictions on IPC message queues */
>  /* Allow more than 64hz interrupts from the real-time clock */
>  /* Override max number of consoles on console allocation */
>  /* Override max number of keymaps */
>  
>  Do
>  fix the cause of the SYS_RESOURCE on your system.
>  
>  *****  Plugin catchall (9.59 confidence) suggests   **************************
>  
>  If you believe that systemd-tmpfile should have the sys_resource capability by default.
>  Then you should report this as a bug.
>  You can generate a local policy module to allow this access.
>  Do
>  allow this access for now by executing:
>  # ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile
>  # semodule -X 300 -i my-systemdtmpfile.pp
> 
> 
> I also see
> 
> type=AVC msg=audit(1569414241.452:321): avc:  denied  { sys_resource } for  pid=17409 comm="systemd-tmpfile" capability=24  
>                     scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
> type=AVC msg=audit(1569414241.452:322): avc:  denied  { setrlimit } for  pid=17409 comm="systemd-tmpfile" 
>                     scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
> 
> 
> 
> I have to admit I don't know how to judge this. Before I do anything here I like to understand.
> 
> 
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux