Bug 1402495 - Unable to login to gui - error "could not set limit for 'XXXX': Operation not permitted"
Summary: Unable to login to gui - error "could not set limit for 'XXXX': Operation not...
Keywords:
Status: CLOSED DUPLICATE of bug 1402316
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-07 16:33 UTC by Ryan Howe
Modified: 2020-07-16 09:02 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-13 08:34:03 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2801961 0 None None None 2016-12-09 19:40:06 UTC

Description Ryan Howe 2016-12-07 16:33:03 UTC 
Description of problem:

When nofile is set in limits.conf, users are unable to login the cockpit gui. Selinux denies cockpit_session_t from making syscall "setrlimit"


Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server 7.x

cockpit-shell-0.114-2.el7.noarch
cockpit-kubernetes-0.114-2.el7.x86_64
cockpit-bridge-0.114-2.el7.x86_64
cockpit-docker-0.114-2.el7.x86_64
cockpit-ws-0.114-2.el7.x86_64

How reproducible:
100%


Steps to Reproduce:
1. Set  nofile limit in  /etc/security/limits.conf
2. Log in to cockpit 


Actual results:

  Permission denied

Expected results:
 
  Be able to login 

Additional info:

[root@master-1 ~]# ausearch -i -m avc -ts recent
----
type=SYSCALL msg=audit(12/07/2016 11:29:16.540:1652) : arch=x86_64 syscall=setrlimit success=no exit=-1(Operation not permitted) a0=RLIMIT_NOFILE a1=0x7ffc2d4ffaf0 a2=0x7f8c93287768 a3=0x0 items=0 ppid=16322 pid=16652 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=15 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) 
type=AVC msg=audit(12/07/2016 11:29:16.540:1652) : avc:  denied  { sys_resource } for  pid=16652 comm=cockpit-session capability=sys_resource  scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=capability 
[root@master-1 ~]# ausearch -i -m avc -ts recent
----
type=SYSCALL msg=audit(12/07/2016 11:29:16.540:1652) : arch=x86_64 syscall=setrlimit success=no exit=-1(Operation not permitted) a0=RLIMIT_NOFILE a1=0x7ffc2d4ffaf0 a2=0x7f8c93287768 a3=0x0 items=0 ppid=16322 pid=16652 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=15 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) 
type=AVC msg=audit(12/07/2016 11:29:16.540:1652) : avc:  denied  { sys_resource } for  pid=16652 comm=cockpit-session capability=sys_resource  scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=capability 
----
type=SYSCALL msg=audit(12/07/2016 11:29:38.092:1667) : arch=x86_64 syscall=setrlimit success=no exit=-1(Operation not permitted) a0=RLIMIT_NOFILE a1=0x7ffc13a0d5e0 a2=0x7f0999397768 a3=0x0 items=0 ppid=16322 pid=16722 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=16 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) 
type=AVC msg=audit(12/07/2016 11:29:38.092:1667) : avc:  denied  { sys_resource } for  pid=16722 comm=cockpit-session capability=sys_resource  scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=capability 


[root@master-1 ~]#  cat /etc/security/limits.conf | grep -v "^#"
*         hard    nofile      10000
*         soft    nofile      10000
root      hard    nofile      10000
root      soft    nofile      10000

[root@master-1 ~]# ulimit -n
10000

[root@master-1 ~]# cat /proc/sys/fs/file-max
381698

[root@master-1 ~]# systemctl status cockpit
● cockpit.service - Cockpit Web Service
   Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static; vendor preset: disabled)
   Active: inactive (dead) since Wed 2016-12-07 10:24:08 EST; 13min ago
     Docs: man:cockpit-ws(8)
  Process: 3258 ExecStart=/usr/libexec/cockpit-ws (code=exited, status=0/SUCCESS)
  Process: 3255 ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root --group=cockpit-ws --selinux-type=etc_t (code=exited, status=0/SUCCESS)
 Main PID: 3258 (code=exited, status=0/SUCCESS)
 
Dec 07 10:22:38 master-1.example.com systemd[1]: Starting Cockpit Web Service...
Dec 07 10:22:38 master-1.example.com systemd[1]: Started Cockpit Web Service.
Dec 07 10:22:38 master-1.example.com cockpit-ws[3258]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
Dec 07 10:22:43 master-1.example.com cockpit-session[3499]: pam_ssh_add: Failed adding some keys
Dec 07 10:22:43 master-1.example.com cockpit-session[3499]: pam_limits(cockpit:session): Could not set limit for 'nofile': Operation not permitted
Dec 07 10:22:43 master-1.example.com cockpit-ws[3258]: cockpit-session: couldn't open session: cloud-user: Permission denied
Dec 07 10:23:26 master-1.example.com cockpit-session[4665]: pam_ssh_add: Failed adding some keys
Dec 07 10:23:26 master-1.example.com cockpit-session[4665]: pam_limits(cockpit:session): Could not set limit for 'nofile': Operation not permitted
Dec 07 10:23:26 master-1.example.com cockpit-ws[3258]: cockpit-session: couldn't open session: cloud-user: Permission denied
Comment 3 Lukas Vrabec 2016-12-13 08:34:03 UTC 

*** This bug has been marked as a duplicate of bug 1402316 ***
Note You need to log in before you can comment on or make changes to this bug.