Bug 1491235 – SELinux doesn't allow CTDB to set system resource limits

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1491235 - SELinux doesn't allow CTDB to set system resource limits

Summary:	SELinux doesn't allow CTDB to set system resource limits

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	x86_64 Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1472171
	Show dependency tree / graph

Reported:	2017-09-13 07:32 EDT by Anoop C S
Modified:	2018-04-10 08:44 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	selinux-policy-3.13.1-174.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:	1472171
Environment:
Last Closed:	2018-04-10 08:43:43 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	toneata: needinfo-

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	None	None	None	2018-04-10 08:44 EDT

Groups: None (edit)

Comment 2 Milos Malik 2017-09-13 12:31:17 EDT

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(09/13/2017 12:28:06.850:300) : proctitle=/bin/sh /usr/sbin/ctdbd_wrapper /run/ctdb/ctdbd.pid start 
type=SYSCALL msg=audit(09/13/2017 12:28:06.850:300) : arch=x86_64 syscall=setrlimit success=yes exit=0 a0=RLIMIT_NOFILE a1=0x7ffc38019a00 a2=0x2 a3=0x7f20881c9960 items=0 ppid=1 pid=10557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ctdbd_wrapper exe=/usr/bin/bash subj=system_u:system_r:ctdbd_t:s0 key=(null) 
type=AVC msg=audit(09/13/2017 12:28:06.850:300) : avc:  denied  { setrlimit } for  pid=10557 comm=ctdbd_wrapper scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=process 
type=AVC msg=audit(09/13/2017 12:28:06.850:300) : avc:  denied  { sys_resource } for  pid=10557 comm=ctdbd_wrapper capability=sys_resource  scontext=system_u:system_r:ctdbd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=capability 
----

# rpm -qa selinux-policy\*
selinux-policy-targeted-3.13.1-166.el7.noarch
selinux-policy-3.13.1-166.el7.noarch
#

Comment 12 errata-xmlrpc 2018-04-10 08:43:43 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.