Bug 288861 - selinux-policy breaks pam_limits by ignoring limits.conf
selinux-policy breaks pam_limits by ignoring limits.conf
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-13 02:49 EDT by Jim Radford
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-21 14:02:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jim Radford 2007-09-13 02:49:55 EDT
After upgrading to selinux-policy-3.0.7-7.fc8 the following line in limits.conf
does not have the intended effect.

  * - rtprio 95

In particular 

  ulimit -a | grep real-time

gives

  real-time priority              (-r) 0

and not

  real-time priority              (-r) 95

like it used to with the selinux-policy from f7.
Comment 1 Daniel Walsh 2007-09-13 09:46:55 EDT
Are you seeing avc messages that would indicate SELinux is causing the problem?
Comment 2 Daniel Walsh 2007-09-13 13:25:38 EDT
Fixed in 	selinux-policy-2.4.6-88.fc6
Comment 3 Jim Radford 2007-09-13 14:34:47 EDT
(In reply to comment #1)
> Are you seeing avc messages that would indicate SELinux is causing the problem?

If I setenforce 0, then I get my realtime priority, so it *is* selinux.

Not obviously.  Maybe this one?

type=AVC msg=audit(1189683790.155:43): avc:  denied  { read } for  pid=6931
comm="consoletype" path="pipe:[24144]" dev=pipefs ino=24144
scontext=system_u:system_r:cons
oletype_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file
Comment 4 Jim Radford 2007-09-13 14:45:46 EDT
(In reply to comment #2)
> Fixed in 	selinux-policy-2.4.6-88.fc6

I'm guessing that you meant

  selinux-policy-2.6.4-88.fc7

but I can't seem to find that either?
Comment 5 Daniel Walsh 2007-09-14 11:38:27 EDT
Ooops. Looks like I updated the wrong bugzilla.  

tomaz you have any idea?

You can execute 
# semodule -DB 

to turn off all dontaudit rules

The try it out.  

semodule -B 

Will turn rules back on.
Comment 6 Jim Radford 2007-09-14 12:30:05 EDT
(In reply to comment #5)
> You can execute 
> # semodule -DB 

Some of these look promising.

type=AVC msg=audit(1189787145.556:149): avc:  denied  { rlimitinh } for 
pid=27784 comm="unix_update"
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=
system_u:system_r:updpwd_t:s0-s0:c0.c1023 tclass=process


type=AVC msg=audit(1189787145.724:160): avc:  denied  { rlimitinh } for 
pid=27785 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_
u:system_r:unconfined_t:s0 tclass=process

type=AVC msg=audit(1189787145.727:161): avc:  denied  { rlimitinh } for 
pid=27786 comm="hal-acl-tool" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:
hald_acl_t:s0 tclass=process

type=AVC msg=audit(1189787168.553:169): avc:  denied  { rlimitinh } for 
pid=27852 comm="load_policy" scontext=system_u:system_r:semanage_t:s0
tcontext=system_u:system
_r:load_policy_t:s0 tclass=process
Comment 7 Daniel Walsh 2007-09-18 13:34:21 EDT
Fixed in selinux-policy-3.0.8-1
Comment 8 Jim Radford 2007-09-20 20:18:57 EDT
Works for me now.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.