Description of problem: 1. Start Cockpit 2. Attempt to login using an Admin account 3. Login is denied due to a SeLinux denial Cockpit as a service should by default have access to these privilages SELinux is preventing /usr/libexec/cockpit-session from using the 'sys_resource' capabilities. ***** Plugin sys_resource (91.4 confidence) suggests ********************** If you do not want processes to require capabilities to use up all the system resources on your system; Then you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ Do fix the cause of the SYS_RESOURCE on your system. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that cockpit-session should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cockpit-session /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cockpit_session_t:s0 Target Context system_u:system_r:cockpit_session_t:s0 Target Objects Unknown [ capability ] Source cockpit-session Source Path /usr/libexec/cockpit-session Port <Unknown> Host (removed) Source RPM Packages cockpit-ws-0.60-1.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.1.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.4-303.fc22.x86_64 #1 SMP Thu May 28 12:37:06 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-06-22 22:37:16 EDT Last Seen 2015-06-22 22:37:16 EDT Local ID 560785e0-ec82-4d91-8c06-8031d98af15e Raw Audit Messages type=AVC msg=audit(1435027036.201:8013): avc: denied { sys_resource } for pid=26212 comm="cockpit-session" capability=24 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=capability permissive=0 type=SYSCALL msg=audit(1435027036.201:8013): arch=x86_64 syscall=setrlimit success=no exit=EPERM a0=8 a1=7ffcf0279580 a2=0 a3=7ff4c4cbf200 items=0 ppid=25899 pid=26212 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) Hash: cockpit-session,cockpit_session_t,cockpit_session_t,capability,sys_resource Version-Release number of selected component: selinux-policy-3.13.1-128.1.fc22.noarch Additional info: reporter: libreport-2.6.0 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport
Cockpit folks, Can we allow this? Do you know whats going on here? Thank you!
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.