Bug 288861

Summary: selinux-policy breaks pam_limits by ignoring limits.conf
Product: [Fedora] Fedora Reporter: Jim Radford <radford>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 8CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-21 18:02:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Radford 2007-09-13 06:49:55 UTC 
After upgrading to selinux-policy-3.0.7-7.fc8 the following line in limits.conf
does not have the intended effect.

  * - rtprio 95

In particular 

  ulimit -a | grep real-time

gives

  real-time priority              (-r) 0

and not

  real-time priority              (-r) 95

like it used to with the selinux-policy from f7.
Comment 1 Daniel Walsh 2007-09-13 13:46:55 UTC 
Are you seeing avc messages that would indicate SELinux is causing the problem?
Comment 2 Daniel Walsh 2007-09-13 17:25:38 UTC 
Fixed in 	selinux-policy-2.4.6-88.fc6
Comment 3 Jim Radford 2007-09-13 18:34:47 UTC 
(In reply to comment #1)
> Are you seeing avc messages that would indicate SELinux is causing the problem?

If I setenforce 0, then I get my realtime priority, so it *is* selinux.

Not obviously.  Maybe this one?

type=AVC msg=audit(1189683790.155:43): avc:  denied  { read } for  pid=6931
comm="consoletype" path="pipe:[24144]" dev=pipefs ino=24144
scontext=system_u:system_r:cons
oletype_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file
Comment 4 Jim Radford 2007-09-13 18:45:46 UTC 
(In reply to comment #2)
> Fixed in 	selinux-policy-2.4.6-88.fc6

I'm guessing that you meant

  selinux-policy-2.6.4-88.fc7

but I can't seem to find that either?
Comment 5 Daniel Walsh 2007-09-14 15:38:27 UTC 
Ooops. Looks like I updated the wrong bugzilla.  

tomaz you have any idea?

You can execute 
# semodule -DB 

to turn off all dontaudit rules

The try it out.  

semodule -B 

Will turn rules back on.
Comment 6 Jim Radford 2007-09-14 16:30:05 UTC 
(In reply to comment #5)
> You can execute 
> # semodule -DB 

Some of these look promising.

type=AVC msg=audit(1189787145.556:149): avc:  denied  { rlimitinh } for 
pid=27784 comm="unix_update"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=
system_u:system_r:updpwd_t:s0-s0:c0.c1023 tclass=process


type=AVC msg=audit(1189787145.724:160): avc:  denied  { rlimitinh } for 
pid=27785 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_
u:system_r:unconfined_t:s0 tclass=process

type=AVC msg=audit(1189787145.727:161): avc:  denied  { rlimitinh } for 
pid=27786 comm="hal-acl-tool" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:
hald_acl_t:s0 tclass=process

type=AVC msg=audit(1189787168.553:169): avc:  denied  { rlimitinh } for 
pid=27852 comm="load_policy" scontext=system_u:system_r:semanage_t:s0
tcontext=system_u:system
_r:load_policy_t:s0 tclass=process
Comment 7 Daniel Walsh 2007-09-18 17:34:21 UTC 
Fixed in selinux-policy-3.0.8-1
Comment 8 Jim Radford 2007-09-21 00:18:57 UTC 
Works for me now.  Thanks.