Bug #44940

type=AVC msg=audit(1585577327.298:6404): avc: denied { sys_resource } for pid=27385 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1

Added by Brad Hubbard almost 3 years ago. Updated almost 3 years ago.

Target version:
% Done:


3 - minor
Affected Versions:
Pull request ID:
Crash signature (v1):
Crash signature (v2):


# sealert -l 3dc5e070-8738-4070-8f0b-45336301d7a9                                                                                                                                  
SELinux is preventing /usr/bin/sudo from using the sys_resource capability.

*****  Plugin sys_resource (91.4 confidence) suggests   **********************                                                                                                                                                                                                                                                                                     
If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.

According to /usr/include/linux/capability.h, sys_resource is required to:

/* Override resource limits. Set resource limits. */
/* Override quota limits. */                               
/* Override reserved space on ext2 filesystem */                                                                      
/* Modify data journaling mode on ext3 filesystem (uses journaling                                                    
   resources) */                            
/* NOTE: ext2 honors fsuid when checking for resource overrides, so                                                   
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */     
/* Allow more than 64hz interrupts from the real-time clock */                                                        
/* Override max number of consoles on console allocation */                                                           
/* Override max number of keymaps */

fix the cause of the SYS_RESOURCE on your system.

*****  Plugin catchall (9.59 confidence) suggests   **************************                                        

If you believe that sudo should have the sys_resource capability by default.                                          
Then you should report this as a bug.                                                                                 
You can generate a local policy module to allow this access.                                                          
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo        
# semodule -X 300 -i my-sudo.pp

Additional Information:       
Source Context                system_u:system_r:ceph_t:s0
Target Context                system_u:system_r:ceph_t:s0
Target Objects                Unknown [ capability ]                                                                  
Source                        sudo                    
Source Path                   /usr/bin/sudo
Port                          <Unknown>                   
Host                          smithi203
Source RPM Packages           sudo-1.8.25p1-8.el8_1.1.x86_64                                                          
Target RPM Packages                 
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch                                                     
Selinux Enabled               True                        
Policy Type                   targeted                                                                                
Enforcing Mode                Permissive
Host Name                     smithi203                    
Platform                      Linux smithi203 4.18.0-147.el8.x86_64 #1 SMP Wed
                              Dec 4 21:51:45 UTC 2019 x86_64 x86_64                                                   
Alert Count                   4                                                                                       
First Seen                    2020-04-06 01:37:58 UTC
Last Seen                     2020-04-06 01:37:58 UTC    
Local ID                      3dc5e070-8738-4070-8f0b-45336301d7a9                                                                                                                                                                           

Raw Audit Messages                      
type=AVC msg=audit(1586137078.982:3346): avc:  denied  { sys_resource } for  pid=18597 comm="sudo" capability=24  scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1                   

type=AVC msg=audit(1586137078.982:3346): avc:  denied  { setrlimit } for  pid=18597 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1

type=SYSCALL msg=audit(1586137078.982:3346): arch=x86_64 syscall=prlimit64 success=yes exit=0 a0=0 a1=6 a2=7ffffbc9aa00 a3=0 items=0 ppid=18582 pid=18597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sudo exe=/usr/bin/sudo subj=system_u:system_r:ceph_t:s0 key=(null)                                

Hash: sudo,ceph_t,ceph_t,capability,sys_resource

# ausearch -c 'sudo' --raw | audit2allow -M my-sudo && cat my-sudo.te 
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-sudo.pp

module my-sudo 1.0;

require {
        type sudo_exec_t;
        type ceph_t;
        type initrc_var_run_t;
        class file { execute execute_no_trans lock map open read };
        class capability { audit_write sys_resource };
        class process setrlimit;
        class netlink_audit_socket { create nlmsg_relay };

#============= ceph_t ==============
allow ceph_t initrc_var_run_t:file { lock open read };
allow ceph_t self:capability { audit_write sys_resource };
allow ceph_t self:netlink_audit_socket { create nlmsg_relay };
allow ceph_t self:process setrlimit;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow ceph_t sudo_exec_t:file map;
allow ceph_t sudo_exec_t:file { execute execute_no_trans open read };

Related issues

Related to Ceph - Bug #40683: selinux allow ceph_t to call sudo Can't reproduce


#1 Updated by Brad Hubbard almost 3 years ago

  • Related to Bug #40683: selinux allow ceph_t to call sudo added

#2 Updated by Brad Hubbard almost 3 years ago

  • Description updated (diff)

Also available in: Atom PDF