| Summary: | SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from using the 'sys_resource' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Hicham HAOUARI <hicham.haouari> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, eparis, icj, mgrepl, sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f96a8d80677f75b748cd0e08b31b94d4dcf993f89776a045e64dd856426910c4 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-26 20:39:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Did you read the alert? sys_resource, means your system is running out of resources. Usually disks are filling up. root partition have 4GB free /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ #define CAP_SYS_RESOURCE 24 Well it would be caused by one of these. Steve, the SYSCALL record from this denial shows syscall=None. I'm not sure what mechanism Dan is using to interpret the records, but what the heck does 'None' mean? audit.audit_syscall_to_name(int(value),audit.audit_detect_machine()) Libauparse uses this, "unknown syscall(%d)", to write out the name of the syscall when its not known. I can't find the word, "None" is any of the audit source code except the python bindings - which are auto generated. I don't know if python is the source of the problem or if setroubleshoot fills in None in some circumstances. Hicham could you grab the AVC out of /var/log/audit/audit.log to see the original. ausearch -m avc Thanks. Steve None probably means failure.
I just changed my code to:
if key == "syscall":
syscall_name = audit.audit_syscall_to_name(int(value),audit.audit_detect_machine())
if syscall_name:
value = syscall_name
|
SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from using the 'sys_resource' capabilities. ***** Plugin sys_resource (91.4 confidence) suggests *********************** If you do not want to get this AVC any longer. These AVC's are caused by running out of resources, usually disk space on your / partition. Then you must cleanup diskspace or make sure you are not running too many processes. Do clear up your disk. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that polkit-agent-helper-1 should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep polkit-agent-he /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Objects Unknown [ capability ] Source polkit-agent-he Source Path /usr/libexec/polkit-1/polkit-agent-helper-1 Port <Unknown> Host (removed) Source RPM Packages polkit-0.98-5.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.13-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-0.rc2.git3.2.fc15.i686 #1 SMP Wed Jan 26 01:25:35 UTC 2011 i686 i686 Alert Count 3 First Seen Thu 27 Jan 2011 01:08:21 PM WET Last Seen Thu 27 Jan 2011 01:08:24 PM WET Local ID 3c50c83c-4f60-4ab8-ac25-d488989c463e Raw Audit Messages type=AVC msg=audit(1296133704.915:75): avc: denied { sys_resource } for pid=3040 comm="polkit-agent-he" capability=24 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1296133704.915:75): arch=i386 syscall=None success=no exit=EPERM a0=0 a1=7 a2=0 a3=bfa3cb50 items=0 ppid=3031 pid=3040 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=polkit-agent-he exe=/usr/libexec/polkit-1/polkit-agent-helper-1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null) Hash: polkit-agent-he,policykit_auth_t,policykit_auth_t,capability,sys_resource audit2allow #============= policykit_auth_t ============== allow policykit_auth_t self:capability sys_resource; audit2allow -R #============= policykit_auth_t ============== allow policykit_auth_t self:capability sys_resource;