Hi there,
Running Fedora 31 and SELinux still in permissive mode I got
SELinux is preventing systemd-tmpfile from using the sys_resource capability.
***** Plugin sys_resource (91.4 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources on your syste>
Then you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
Do
fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that systemd-tmpfile should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile
# semodule -X 300 -i my-systemdtmpfile.pp
I also see
type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409 comm="systemd-tmpfile" capability=24
scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409 comm="systemd-tmpfile"
scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
I have to admit I don't know how to judge this. Before I do anything here I like to understand.
--
Manfred