Hide Forgot
Description of problem: After upgrade to RHEL 7.3, connection to cockpit dashboard fails with Permission denied when the user has limits configured. A setrlimit attempt avc denial is reported by audit. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7_3.4.noarch cockpit-118-2.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Connect with a browser to a RHEL 7.3 vm: https://rhel73:9090/ 2. Login with root or any other user 3. Add a limit configuration line: echo "* hard core 0" >> /etc/security/limits.conf 4. Reboot 5. Try to login to cockpit again. Actual results: Permission denied message Expected results: Log in without error messages Additional info: Dec 02 10:50:46 rhel73 cockpit-session[1234]: pam_ssh_add: Failed adding some keys Dec 02 10:50:46 rhel73 cockpit-session[4455]: pam_limits(cockpit:session): Could not set limit for 'core': Permission denied Dec 02 10:50:46 rhel73 cockpit-ws[1111]: cockpit-session: couldn't open session: root: Permission denied
Audit entries: type=SERVICE_START msg=audit(1480694554.810:141): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=USER_AUTH msg=audit(1480694554.876:142): pid=2304 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:authentication grantors=pam_unix acct="username" exe="/usr/libexec/cockpit-session" hostname=192.168.22.1 addr=192.168.22.1 terminal=? res=success' type=USER_ACCT msg=audit(1480694554.877:143): pid=2304 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="username" exe="/usr/libexec/cockpit-session" hostname=192.168.22.1 addr=192.168.22.1 terminal=? res=success' type=CRED_ACQ msg=audit(1480694554.878:144): pid=2304 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_unix acct="username" exe="/usr/libexec/cockpit-session" hostname=192.168.22.1 addr=192.168.22.1 terminal=? res=success' type=LOGIN msg=audit(1480694554.878:145): pid=2304 uid=0 subj=system_u:system_r:cockpit_session_t:s0 old-auid=4294967295 auid=1000 old-ses=4294967295 ses=4 res=1 type=USER_ROLE_CHANGE msg=audit(1480694554.954:146): pid=2304 uid=0 auid=1000 ses=4 subj=system_u:system_r:cockpit_session_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/libexec/cockpit-session" hostname=192.168.22.1 addr=192.168.22.1 terminal=? res=success' type=AVC msg=audit(1480694554.971:147): avc: denied { setrlimit } for pid=2304 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=process type=SYSCALL msg=audit(1480694554.971:147): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fff74105f30 a2=7f98435af768 a3=0 items=0 ppid=2300 pid=2304 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="cockpit-session" exe="/usr/libexec/cockpit-session" subj=system_u:system_r:cockpit_session_t:s0 key=(null) type=USER_START msg=audit(1480694554.988:148): pid=2304 uid=0 auid=1000 ses=4 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:session_open grantors=? acct="username" exe="/usr/libexec/cockpit-session" hostname=192.168.22.1 addr=192.168.22.1 terminal=? res=failed' type=SERVICE_STOP msg=audit(1480694644.846:149): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Looks like some changes were made in the policy: rhel72# sesearch -s cockpit_session_t -t cockpit_session_t -c process -A Found 4 semantic av rules: allow cockpit_session_t cockpit_session_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getsession getcap getattr setexec setrlimit setkeycreate } ; allow login_pgm domain : process sigkill ; allow cockpit_session_t cockpit_session_t : process setfscreate ; allow cockpit_session_t cockpit_session_t : process setfscreate ; rhel73# sesearch -s cockpit_session_t -t cockpit_session_t -c process -A Found 4 semantic av rules: allow login_pgm domain : process sigkill ; allow cockpit_session_t cockpit_session_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getcap setexec setkeycreate } ; allow cockpit_session_t cockpit_session_t : process setfscreate ; allow cockpit_session_t cockpit_session_t : process setfscreate ; f22 and f25 looks the same like rhel73
Related to bug 1402495
*** Bug 1402495 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861