Bug 1192233
| Summary: | SELinux is preventing /usr/bin/systemctl from using the sys_resource capability | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michal Jaegermann <michal> | ||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 21 | CC: | arielnmz, dwalsh | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-05-12 14:15:59 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I think this bug is a dupe of #1184712 *** This bug has been marked as a duplicate of bug 1184712 *** |
Created attachment 991158 [details] an output from sealert Description of problem: After an upgrade from F20 to F21 the following shows up in logs: setroubleshoot: Plugin Exception restorecon_source setroubleshoot: SELinux is preventing /usr/bin/systemctl from using the sys_resource capability. For complete SELinux messages. run sealert -l 45fe5a2c-7d1f-4c4a-8c52-cb5c35b58fcd python: SELinux is preventing /usr/bin/systemctl from using the sys_resource capability. That is followed by "*** Plugin sys_resource (91.4 confidence) suggests ***" and the longwinded writeup (in logs!!!) which ends up with "Do fix the cause of the SYS_RESOURCE on your system" albeit not exactly how. See below for more. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-105.1.fc21 How reproducible: Hm ... this is a freshly updated system. Additional info: An output from sealert attached. A suggested there 'audit2allow' command produces .te file like this: module mypol 1.0; require { type prelink_cron_system_t; class capability sys_resource; class process setrlimit; } #============= prelink_cron_system_t ============== allow prelink_cron_system_t self:capability sys_resource; allow prelink_cron_system_t self:process setrlimit;