Bug 608640
Summary: | SELinux is preventing /usr/bin/totem-video-thumbnailer "setrlimit" access . | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Matěj Cepl <mcepl> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | dwalsh, eparis, jmorris, mmalik, sdsmall |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:fb976057edbd466384a92016fc65e061a43bb30ac53454ea7f3a3fa0d6b8cc2c | ||
Fixed In Version: | selinux-policy-3.7.19-32.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-11-10 21:34:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2010-06-28 11:19:43 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. Should we just allow this for a confined user? staff_t, user_t. Since setrlimit can only lower priority if you do not have CAP_SYS_RESOURCE? Only concern is if the confined user domain can transition to some privileged program domain and you are concerned about the confined user domain trying to induce a failure in the privileged program by first lowering the hard limits prior to exec'ing it. That was the original rationale for the setrlimit and rlimitinh checks. Should I add a boolean then. users_can_setrlimit? Miroslav, Please add ## <desc> ## <p> ## Allow user processes to change their priority ## </p> ## </desc> gen_tunable(user_setrlimit, false) And tunable_policy(`user_setrlimit',` allow $1_usertype self:process setrlimit; ') to template(`userdom_unpriv_user_template', ` And default this to true in booleans-targeted.conf Fixed in selinux-policy-3.7.19-32.el6.noarch Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |