Description of problem: By default CTDB provides the standard way for defining a configuration parameter named CTDB_MAX_OPEN_FILES[see man ctdbd.conf(5)] which when set to a particular value will re-configure the resource limit for maximum number of open files. But in an environment where SELinux is set to 'Enforcing' following dAVC enials are seen in audit logs and thereby fails to change the corresponding limits: type=AVC msg=audit(1500360590.186:345): avc: denied { sys_resource } for pid=6031 comm="ctdbd_wrapper" capability=24 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability type=SYSCALL msg=audit(1500360590.186:345): arch=c000003e syscall=160 success=no exit=-1 a0=7 a1=7fff4bd7c780 a2=2 a3=7f8781c0dee0 items=0 ppid=1 pid=6031 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd_wrapper" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null) type=AVC msg=audit(1500363357.648:1214): avc: denied { sys_resource } for pid=28137 comm="ctdbd_wrapper" capability=24 scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctd bd_t:s0 tclass=capability type=AVC msg=audit(1500363357.648:1214): avc: denied { setrlimit } for pid=28137 comm="ctdbd_wrapper" scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process type=SYSCALL msg=audit(1500363357.648:1214): arch=c000003e syscall=160 success=yes exit=0 a0=7 a1=7fffd21a2c10 a2=2 a3=7f8ef21d7ee0 items=0 ppid=1 pid=28137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ctdbd_wrapper" exe="/usr/bin/bash" subj=system_u:system_r:ctdbd_t:s0 key=(null) Version-Release number of selected component (if applicable): # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 Beta (Maipo) # cat /etc/redhat-storage-release Red Hat Gluster Storage Server 3.3.0 # rpm -qa | grep selinux-policy selinux-policy-targeted-3.13.1-102.el7_3.16.noarch selinux-policy-3.13.1-102.el7_3.16.noarch # rpm -qa | grep ctdb ctdb-tests-4.6.3-3.el7rhgs.x86_64 ctdb-4.6.3-3.el7rhgs.x86_64 How reproducible: Always Steps to Reproduce: 1. Have a RHGS Samba-CTDB setup. 2. Make sure that SELinux is set to 'Enforcing'. # getenforce Enforcing 3. Add the following to /etc/sysconfig/ctdb. CTDB_MAX_OPEN_FILES=16384 4. Start/Re-start ctdb service. 5. Check the resource limit. # cat /proc/`pgrep ctdbd`/limits | grep "open files" Max open files 1024 4096 files 6. Check audit logs for AVC on sys_resource 7. Change SELinux mode from 'Enforcing' to 'Permissive'. #setenforce 0 8. Restart ctdb service. 9. Check resource limit. # cat /proc/`pgrep ctdbd`/limits | grep "open files" Max open files 16384 16384 files 10. Check for AVCs in audit logs. Actual results: AVC denials are seen and resource limits are not changed in 'Enforcing' mode. Expected results: No AVCs must be present in audit logs and resource limits should be changed. Additional info: # sesearch --allow | grep "allow ctdbd_t ctdbd_t : capability " allow ctdbd_t ctdbd_t : capability { chown net_bind_service net_admin net_raw ipc_lock sys_nice } ; # sesearch --allow | grep "allow ctdbd_t ctdbd_t : process " allow ctdbd_t ctdbd_t : process { fork sigchld sigkill sigstop signull signal getsched setsched setpgid getcap } ;
Followed the steps to reproduce 1. Have a RHGS Samba-CTDB setup. 2. Make sure that SELinux is set to 'Enforcing'. # getenforce Enforcing 3. Add the following to /etc/sysconfig/ctdb. CTDB_MAX_OPEN_FILES=16384 4. Start/Re-start ctdb service. 5. Check the resource limit. # cat /proc/`pgrep ctdbd`/limits | grep "open files" Max open files 1024 4096 files 6. Check audit logs for AVC on sys_resource No AVCs are present in audit logs and resource limits are updated. cat /proc/`pgrep ctdbd`/limits | grep "open files" Max open files 16384 16384 files Version selinux-policy-targeted-3.13.1-189.el7.noarch samba-4.7.5-101.el7rhgs.x86_64