Bug 834306
| Summary: | dovecot is denied to start on s390x because of sys_resource AVC | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Sklenar <psklenar> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | azelinka, dwalsh, eparis, jjaburek, ksrot, lpol, lvrabec, mgrepl, mhlavink, mmalik, mvadkert, plautrba, psklenar, pvrabec, rskvaril, ssekidde, szidek |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | s390x | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:21:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1172908 | ||
| Bug Blocks: | 816135 | ||
sys_resource means that something on the system was running out of resources. Like max number of processes or open file descriptors. /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ #define CAP_SYS_RESOURCE 24 I am sure that dovecot does not need this. Either there is a problem with the kernel or you were running out of one of these resources. Are you still seeing this problem? yes, there is still the same issue:
distro: RHEL-7.0-20120711.2 Server s390x
[root@ibm-z10-30 ~]# service dovecot restart
Redirecting to /bin/systemctl restart dovecot.service
[root@ibm-z10-30 ~]# type=AVC msg=audit(1350315914.931:1914): avc: denied { sys_resource } for pid=6448 comm="dovecot" capability=24 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability
[root@ibm-z10-30 ~]# rpm -q dovecot selinux-policy
dovecot-2.1.6-2.el7.s390x
selinux-policy-3.10.0-137.el7.noarch
Could you include the entire output of ausearch -m avc -i I think this is potentially a kernel issue, unless this machine is stressed on the number of processes. I am closing this as I believe it is related to other problems with too many processes running as root, which causes random domains to get sys_resource limit errors. The domains are not that random. I've run into this again with dovecot on s390x. And here's someone having similar issue with dovecot on arm: http://forums.fedoraforum.org/showthread.php?t=284859 It seems dovecot is (for some reason) more resource intensive and hits the limit often. CCing dovecot maintainer. Michal, any idea why doevecot soemtimes tries to call setrlimit? Here's the avc I caught (dovecot still worked after it got logged so it wasn't critical): type=AVC msg=audit(7.2.2014 16:01:03.148:675) : avc: denied { sys_resource } for pid=54779 comm=dovecot capability=sys_resource scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability type=SYSCALL msg=audit(7.2.2014 16:01:03.148:675) : arch=s390x syscall=setrlimit success=no exit=-1(Operation not permitted) a0=RLIMIT_NPROC a1=0x3ffffe70630 a2=0xfffffffffffff001 a3=0x3fffd5cde1c items=0 ppid=1 pid=54779 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null) I see this also with /CoreOS/openssh/Regression/bz714554-dovecot-can-be-restarted-via-ssh on our s390x host reliably ... I think this is a clone of bug #1172908 As dovecot changes some limits, it's probably necessary to modify selinux policy. Let's wait how is the clone bug solved and then decide what to do with this one. Just FYI:
I did my own test and everything seems fine with new selinux-policy:
# rpm -q dovecot
dovecot-2.2.10-4.el7_0.1.s390x
dovecot-2.2.10-4.el7_0.1.s390
# rpm -q selinux-policy
selinux-policy-3.13.1-14.el7.noarch
# d=`date +%T`; service dovecot restart; service dovecot stop; service dovecot start; ausearch -m avc -ts $d
Redirecting to /bin/systemctl restart dovecot.service
Redirecting to /bin/systemctl stop dovecot.service
Redirecting to /bin/systemctl start dovecot.service
<no matches>
When I downgraded to the version Petr used, I got some AVCs, but different ones:
# rpm -q dovecot
dovecot-2.2.10-4.el7_0.1.s390x
dovecot-2.2.10-4.el7_0.1.s390
# rpm -q selinux-policy
selinux-policy-3.12.1-153.el7_0.13.noarch
# d=`date +%T`; service dovecot restart; service dovecot stop; service dovecot start; ausearch -m avc -ts $d
Redirecting to /bin/systemctl restart dovecot.service
Redirecting to /bin/systemctl stop dovecot.service
Redirecting to /bin/systemctl start dovecot.service
----
time->Thu Jan 15 10:24:38 2015
type=SYSCALL msg=audit(1421335478.031:485): arch=80000016 syscall=106 success=no exit=-13 a0=2aae4d35bf7 a1=3ffff8afa28 a2=3ffff8afa28 a3=0 items=0 ppid=1 pid=32396 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(1421335478.031:485): avc: denied { getattr } for pid=32396 comm="dovecot" path="/sys/fs/pstore" dev="pstore" ino=4032 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
It seems weird to me.. hope it might help somehow.
same issue as found in bug #1172908 Hello, is this bug report still valid? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: dovecot is deny to start Version-Release number of selected component (if applicable): dovecot-2.1.6-2.el7.s390x selinux-policy-3.10.0-128.el7.noarch How reproducible: deterministic, trying s390x Steps to Reproduce: 1. service dovecot start 2. 3. Actual results: service dovecot restart Redirecting to /bin/systemctl restart dovecot.service audit.log: type=AVC msg=audit(1340298844.785:1903): avc: denied { sys_resource } for pid=57032 comm="dovecot" capability=24 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability /val/log/message Jun 21 13:21:16 ibm-z10-34 systemd[1]: getty holdoff time over, scheduling restart. Jun 21 13:21:26 ibm-z10-34 systemd[1]: getty holdoff time over, scheduling restart. Jun 21 13:21:37 ibm-z10-34 systemd[1]: getty holdoff time over, scheduling restart. Jun 21 13:21:38 ibm-z10-34 dovecot[57562]: Last died with error (see error log for more information): setrlimit(RLIMIT_NPROC, 3066): Operation not permitted Jun 21 13:21:38 ibm-z10-34 systemd[1]: dovecot.service: main process exited, code=exited, status=89 Jun 21 13:21:38 ibm-z10-34 systemd[1]: Unit dovecot.service entered failed state. Expected results: no avc, dovecot starts Additional info: