Bug 1499046 - Selinux policy prevents systemd-sysctl from changing user.max_user_namespaces
Summary: Selinux policy prevents systemd-sysctl from changing user.max_user_namespaces
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2017-10-05 22:38 UTC by Matthew L
Modified: 2018-10-30 10:02 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:01:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3238261 None None None 2017-11-13 07:13:29 UTC
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:02:38 UTC

Description Matthew L 2017-10-05 22:38:14 UTC
Description of problem:

With kernel kernel-3.10.0-693.2.2.el7.x86_64, it is required to set:

sysctl user.max_namespaces=15000

(or any value greater than 0, the default).

Attempting to do so via /etc/sysctl or /etc/sysctl.d/file.conf does not work, as systemd-sysctl does not have the correct permissions:

Oct 05 22:25:40 ip-10-0-0-177.ec2.internal kernel: type=1400 audit(1507242340.610:4): avc:  denied  { sys_resource } for  pid=351 comm="systemd-sysctl" capability=24  scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability
Oct 05 22:25:40 ip-10-0-0-177.ec2.internal systemd-sysctl[351]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied
Oct 05 22:25:42 ip-10-0-0-177.ec2.internal systemd-sysctl[629]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied
Oct 05 22:25:42 ip-10-0-0-177.ec2.internal systemd-sysctl[755]: Failed to write '15000' to '/proc/sys/user/max_user_namespaces': Permission denied


Version-Release number of selected component (if applicable):

[ec2-user@ip-10-0-0-177 ~]$ rpm -q kernel selinux-policy
kernel-3.10.0-693.2.2.el7.x86_64
selinux-policy-3.13.1-166.el7_4.4.noarch


How reproducible:

Very.


Steps to Reproduce:
1. On RHEL7 instance with latest packages, including kernel & selinux-policy above.
2. echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf
3. Reboot
4. Look at journald logs

Actual results:

sysctl is not updated

Expected results:

sysctl is updated to the value in /etc/sysctl.conf

Additional info:

Comment 2 Milos Malik 2017-10-06 09:28:15 UTC
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(10/06/2017 05:24:37.069:27) : proctitle=/lib/systemd/systemd-sysctl 
type=PATH msg=audit(10/06/2017 05:24:37.069:27) : item=1 name=/proc/sys/user/max_user_namespaces inode=11326 dev=00:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=NORMAL 
type=PATH msg=audit(10/06/2017 05:24:37.069:27) : item=0 name=/proc/sys/user/ inode=11325 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=PARENT 
type=CWD msg=audit(10/06/2017 05:24:37.069:27) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(10/06/2017 05:24:37.069:27) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x55bed92a4230 a1=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a2=0666 a3=0x24 items=2 ppid=563 pid=741 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sysctl exe=/usr/lib/systemd/systemd-sysctl subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) 
type=AVC msg=audit(10/06/2017 05:24:37.069:27) : avc:  denied  { sys_resource } for  pid=741 comm=systemd-sysctl capability=sys_resource  scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability 
----

Comment 3 Milos Malik 2017-10-06 09:32:01 UTC
Following SELinux denial appeared in permissive mode:
----
type=PROCTITLE msg=audit(10/06/2017 05:28:53.935:25) : proctitle=/lib/systemd/systemd-sysctl 
type=PATH msg=audit(10/06/2017 05:28:53.935:25) : item=1 name=/proc/sys/user/max_user_namespaces inode=11417 dev=00:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=NORMAL 
type=PATH msg=audit(10/06/2017 05:28:53.935:25) : item=0 name=/proc/sys/user/ inode=11416 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_t:s0 objtype=PARENT 
type=CWD msg=audit(10/06/2017 05:28:53.935:25) :  cwd=/etc/sysconfig/network-scripts 
type=SYSCALL msg=audit(10/06/2017 05:28:53.935:25) : arch=x86_64 syscall=open success=yes exit=4 a0=0x55a4270d9230 a1=O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC a2=0666 a3=0x24 items=2 ppid=562 pid=621 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sysctl exe=/usr/lib/systemd/systemd-sysctl subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) 
type=AVC msg=audit(10/06/2017 05:28:53.935:25) : avc:  denied  { sys_resource } for  pid=621 comm=systemd-sysctl capability=sys_resource  scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability 
----

Comment 5 Oliver Freyermuth 2017-12-06 22:43:26 UTC
I can't access the knowledge base since I am not a subscriber, but for me, creating the following SELinux module worked:
#============= systemd_sysctl_t ==============
allow systemd_sysctl_t self:capability sys_resource;

Comment 6 Valentin Kulesh 2018-02-05 19:33:44 UTC
Still occurs in RHEL 7.5 beta:
kernel-3.10.0-830.el7.x86_64
selinux-policy-3.13.1-183.el7.noarch

Comment 9 errata-xmlrpc 2018-10-30 10:01:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.