| Summary: | Unable to login to gui - error "could not set limit for 'XXXX': Operation not permitted" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ryan Howe <rhowe> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, stefw |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-13 08:34:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 1402316 *** |
Description of problem: When nofile is set in limits.conf, users are unable to login the cockpit gui. Selinux denies cockpit_session_t from making syscall "setrlimit" Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server 7.x cockpit-shell-0.114-2.el7.noarch cockpit-kubernetes-0.114-2.el7.x86_64 cockpit-bridge-0.114-2.el7.x86_64 cockpit-docker-0.114-2.el7.x86_64 cockpit-ws-0.114-2.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Set nofile limit in /etc/security/limits.conf 2. Log in to cockpit Actual results: Permission denied Expected results: Be able to login Additional info: [root@master-1 ~]# ausearch -i -m avc -ts recent ---- type=SYSCALL msg=audit(12/07/2016 11:29:16.540:1652) : arch=x86_64 syscall=setrlimit success=no exit=-1(Operation not permitted) a0=RLIMIT_NOFILE a1=0x7ffc2d4ffaf0 a2=0x7f8c93287768 a3=0x0 items=0 ppid=16322 pid=16652 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=15 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) type=AVC msg=audit(12/07/2016 11:29:16.540:1652) : avc: denied { sys_resource } for pid=16652 comm=cockpit-session capability=sys_resource scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=capability [root@master-1 ~]# ausearch -i -m avc -ts recent ---- type=SYSCALL msg=audit(12/07/2016 11:29:16.540:1652) : arch=x86_64 syscall=setrlimit success=no exit=-1(Operation not permitted) a0=RLIMIT_NOFILE a1=0x7ffc2d4ffaf0 a2=0x7f8c93287768 a3=0x0 items=0 ppid=16322 pid=16652 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=15 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) type=AVC msg=audit(12/07/2016 11:29:16.540:1652) : avc: denied { sys_resource } for pid=16652 comm=cockpit-session capability=sys_resource scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=capability ---- type=SYSCALL msg=audit(12/07/2016 11:29:38.092:1667) : arch=x86_64 syscall=setrlimit success=no exit=-1(Operation not permitted) a0=RLIMIT_NOFILE a1=0x7ffc13a0d5e0 a2=0x7f0999397768 a3=0x0 items=0 ppid=16322 pid=16722 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=16 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) type=AVC msg=audit(12/07/2016 11:29:38.092:1667) : avc: denied { sys_resource } for pid=16722 comm=cockpit-session capability=sys_resource scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=capability [root@master-1 ~]# cat /etc/security/limits.conf | grep -v "^#" * hard nofile 10000 * soft nofile 10000 root hard nofile 10000 root soft nofile 10000 [root@master-1 ~]# ulimit -n 10000 [root@master-1 ~]# cat /proc/sys/fs/file-max 381698 [root@master-1 ~]# systemctl status cockpit ● cockpit.service - Cockpit Web Service Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static; vendor preset: disabled) Active: inactive (dead) since Wed 2016-12-07 10:24:08 EST; 13min ago Docs: man:cockpit-ws(8) Process: 3258 ExecStart=/usr/libexec/cockpit-ws (code=exited, status=0/SUCCESS) Process: 3255 ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root --group=cockpit-ws --selinux-type=etc_t (code=exited, status=0/SUCCESS) Main PID: 3258 (code=exited, status=0/SUCCESS) Dec 07 10:22:38 master-1.example.com systemd[1]: Starting Cockpit Web Service... Dec 07 10:22:38 master-1.example.com systemd[1]: Started Cockpit Web Service. Dec 07 10:22:38 master-1.example.com cockpit-ws[3258]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert Dec 07 10:22:43 master-1.example.com cockpit-session[3499]: pam_ssh_add: Failed adding some keys Dec 07 10:22:43 master-1.example.com cockpit-session[3499]: pam_limits(cockpit:session): Could not set limit for 'nofile': Operation not permitted Dec 07 10:22:43 master-1.example.com cockpit-ws[3258]: cockpit-session: couldn't open session: cloud-user: Permission denied Dec 07 10:23:26 master-1.example.com cockpit-session[4665]: pam_ssh_add: Failed adding some keys Dec 07 10:23:26 master-1.example.com cockpit-session[4665]: pam_limits(cockpit:session): Could not set limit for 'nofile': Operation not permitted Dec 07 10:23:26 master-1.example.com cockpit-ws[3258]: cockpit-session: couldn't open session: cloud-user: Permission denied