On 12/22/19 10:15 AM, Manfred Lotz wrote:
Hi there,
Running Fedora 31 and SELinux still in permissive mode I got
Hi,
What is the version of selinux-policy package installed on your system?
# rpm -q selinux-policy
You can also update selinux-policy package:
# dnf update selinux-policy
"setrlimit" permission should be already allowed in F31 selinux-policy
package. (selinux-policy-3.14.4-37.fc31.noarch +)
Could you please update the package and try to reproduce your issue again?
Thanks,
Lukas.
SELinux is preventing systemd-tmpfile from using the sys_resource capability.
***** Plugin sys_resource (91.4 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources
on your syste>
Then you need to diagnose why your system is running out of system resources and fix the
problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
Do
fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that systemd-tmpfile should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-tmpfile' --raw | audit2allow -M my-systemdtmpfile
# semodule -X 300 -i my-systemdtmpfile.pp
I also see
type=AVC msg=audit(1569414241.452:321): avc: denied { sys_resource } for pid=17409
comm="systemd-tmpfile" capability=24
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1569414241.452:322): avc: denied { setrlimit } for pid=17409
comm="systemd-tmpfile"
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
I have to admit I don't know how to judge this. Before I do anything here I like to
understand.
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.