Bug #44940
type=AVC msg=audit(1585577327.298:6404): avc: denied { sys_resource } for pid=27385 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1
Status:
New
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
# sealert -l 3dc5e070-8738-4070-8f0b-45336301d7a9 SELinux is preventing /usr/bin/sudo from using the sys_resource capability. ***** Plugin sys_resource (91.4 confidence) suggests ********************** If you do not want processes to require capabilities to use up all the system resources on your system; Then you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ Do fix the cause of the SYS_RESOURCE on your system. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that sudo should have the sys_resource capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sudo' --raw | audit2allow -M my-sudo # semodule -X 300 -i my-sudo.pp Additional Information: Source Context system_u:system_r:ceph_t:s0 Target Context system_u:system_r:ceph_t:s0 Target Objects Unknown [ capability ] Source sudo Source Path /usr/bin/sudo Port <Unknown> Host smithi203 Source RPM Packages sudo-1.8.25p1-8.el8_1.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.3-20.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name smithi203 Platform Linux smithi203 4.18.0-147.el8.x86_64 #1 SMP Wed Dec 4 21:51:45 UTC 2019 x86_64 x86_64 Alert Count 4 First Seen 2020-04-06 01:37:58 UTC Last Seen 2020-04-06 01:37:58 UTC Local ID 3dc5e070-8738-4070-8f0b-45336301d7a9 Raw Audit Messages type=AVC msg=audit(1586137078.982:3346): avc: denied { sys_resource } for pid=18597 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1586137078.982:3346): avc: denied { setrlimit } for pid=18597 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1586137078.982:3346): arch=x86_64 syscall=prlimit64 success=yes exit=0 a0=0 a1=6 a2=7ffffbc9aa00 a3=0 items=0 ppid=18582 pid=18597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sudo exe=/usr/bin/sudo subj=system_u:system_r:ceph_t:s0 key=(null) Hash: sudo,ceph_t,ceph_t,capability,sys_resource # ausearch -c 'sudo' --raw | audit2allow -M my-sudo && cat my-sudo.te ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-sudo.pp module my-sudo 1.0; require { type sudo_exec_t; type ceph_t; type initrc_var_run_t; class file { execute execute_no_trans lock map open read }; class capability { audit_write sys_resource }; class process setrlimit; class netlink_audit_socket { create nlmsg_relay }; } #============= ceph_t ============== allow ceph_t initrc_var_run_t:file { lock open read }; allow ceph_t self:capability { audit_write sys_resource }; allow ceph_t self:netlink_audit_socket { create nlmsg_relay }; allow ceph_t self:process setrlimit; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow ceph_t sudo_exec_t:file map; allow ceph_t sudo_exec_t:file { execute execute_no_trans open read };
Related issues
History
#1 Updated by Brad Hubbard almost 4 years ago
- Related to Bug #40683: selinux allow ceph_t to call sudo added
#2 Updated by Brad Hubbard almost 4 years ago
- Description updated (diff)