Hide Forgot
For 389 DS, the /etc/sysconfig/dirsrv file reads: # In order to make more file descriptors available # to the directory server, first make sure the system # hard limits are raised, then use ulimit - uncomment # out the following line and change the value to the # desired value ulimit -n 8192 ulimit -c unlimited However, SELinux prevents this prom happening with the following AVCs: type=AVC msg=audit(1309882092.965:4116): avc: denied { sys_resource } for pid=19765 comm="start-ds-admin" capability=24 scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=capability type=AVC msg=audit(1309882092.965:4116): avc: denied { setrlimit } for pid=19765 comm="start-ds-admin" scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=process type=SYSCALL msg=audit(1309882092.965:4116): arch=x86_64 syscall=setrlimit success=yes exit=0 a0=7 a1=7fffe398cce0 a2=0 a3=4 items=0 ppid=19748 pid=19765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=start-ds-admin exe=/bin/bash subj=system_u:system_r:dirsrvadmin_t:s0 key=(null) Hash: start-ds-admin,dirsrvadmin_t,dirsrvadmin_t,capability,sys_resource type=AVC msg=audit(1309882092.965:4116): avc: denied { sys_resource } for pid=19765 comm="start-ds-admin" capability=24 scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=capability type=AVC msg=audit(1309882092.965:4116): avc: denied { setrlimit } for pid=19765 comm="start-ds-admin" scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=process type=SYSCALL msg=audit(1309882092.965:4116): arch=x86_64 syscall=setrlimit success=yes exit=0 a0=7 a1=7fffe398cce0 a2=0 a3=4 items=0 ppid=19748 pid=19765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=start-ds-admin exe=/bin/bash subj=system_u:system_r:dirsrvadmin_t:s0 key=(null) Hash: start-ds-admin,dirsrvadmin_t,dirsrvadmin_t,capability,sys_resource audit2allow #============= dirsrvadmin_t ============== allow dirsrvadmin_t self:capability sys_resource; allow dirsrvadmin_t self:process setrlimit; audit2allow -R #============= dirsrvadmin_t ============== allow dirsrvadmin_t self:capability sys_resource; allow dirsrvadmin_t self:process setrlimit;
Fixed in selinux-policy-3.9.16-33.fc15
I can confirm this fix using selinux-policy-3.9.16-33.fc15 (targeted) from Koji. Thanks again.
selinux-policy-3.9.16-35.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15
Package selinux-policy-3.9.16-35.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-35.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-35.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-35.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
It appears that this problem crept up again using: selinux-policy-targeted-3.9.16-38.fc15.noarch type=AVC msg=audit(1315423223.300:8): avc: denied { sys_resource } for pid=1082 comm="start-ds-admin" capability=24 scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=capability type=AVC msg=audit(1315423223.300:8): avc: denied { setrlimit } for pid=1082 comm="start-ds-admin" scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=process type=SYSCALL msg=audit(1315423223.300:8): arch=x86_64 syscall=setrlimit success=yes exit=0 a0=7 a1=7fff66e30380 a2=0 a3=4 items=0 ppid=1053 pid=1082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=start-ds-admin exe=/bin/bash subj=system_u:system_r:dirsrvadmin_t:s0 key=(null) type=AVC msg=audit(1315423223.300:8): avc: denied { sys_resource } for pid=1082 comm="start-ds-admin" capability=24 scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=capability type=AVC msg=audit(1315423223.300:8): avc: denied { setrlimit } for pid=1082 comm="start-ds-admin" scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=process type=SYSCALL msg=audit(1315423223.300:8): arch=x86_64 syscall=setrlimit success=yes exit=0 a0=7 a1=7fff66e30380 a2=0 a3=4 items=0 ppid=1053 pid=1082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=start-ds-admin exe=/bin/bash subj=system_u:system_r:dirsrvadmin_t:s0 key=(null)
Yeap, you are right. It was fixed in F16. Backporting. I apologize.