Bug #44940
Updated by Brad Hubbard about 4 years ago
http://pulpito.ceph.com/bhubbard-2020-03-30_11:17:25-ceph-ansible-wip-badone-testing-distro-basic-smithi/4906560/
<pre>
# sealert -l 3dc5e070-8738-4070-8f0b-45336301d7a9
SELinux is preventing /usr/bin/sudo from using the sys_resource capability.
***** Plugin sys_resource (91.4 confidence) suggests **********************
If you do not want processes to require capabilities to use up all the system resources on your system;
Then you need to diagnose why your system is running out of system resources and fix the problem.
According to /usr/include/linux/capability.h, sys_resource is required to:
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
Do
fix the cause of the SYS_RESOURCE on your system.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that sudo should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:system_r:ceph_t:s0
Target Objects Unknown [ capability ]
Source sudo
Source Path /usr/bin/sudo
Port <Unknown>
Host smithi203
Source RPM Packages sudo-1.8.25p1-8.el8_1.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name smithi203
Platform Linux smithi203 4.18.0-147.el8.x86_64 #1 SMP Wed
Dec 4 21:51:45 UTC 2019 x86_64 x86_64
Alert Count 4
First Seen 2020-04-06 01:37:58 UTC
Last Seen 2020-04-06 01:37:58 UTC
Local ID 3dc5e070-8738-4070-8f0b-45336301d7a9
Raw Audit Messages
type=AVC msg=audit(1586137078.982:3346): avc: denied { sys_resource } for pid=18597 comm="sudo" capability=24 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1586137078.982:3346): avc: denied { setrlimit } for pid=18597 comm="sudo" scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:system_r:ceph_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1586137078.982:3346): arch=x86_64 syscall=prlimit64 success=yes exit=0 a0=0 a1=6 a2=7ffffbc9aa00 a3=0 items=0 ppid=18582 pid=18597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sudo exe=/usr/bin/sudo subj=system_u:system_r:ceph_t:s0 key=(null)
Hash: sudo,ceph_t,ceph_t,capability,sys_resource
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo && cat my-sudo.te
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-sudo.pp
module my-sudo 1.0;
require {
type sudo_exec_t;
type ceph_t;
type initrc_var_run_t;
class file { execute execute_no_trans lock map open read };
class capability { audit_write sys_resource };
class process setrlimit;
class netlink_audit_socket { create nlmsg_relay };
}
#============= ceph_t ==============
allow ceph_t initrc_var_run_t:file { lock open read };
allow ceph_t self:capability { audit_write sys_resource };
allow ceph_t self:netlink_audit_socket { create nlmsg_relay };
allow ceph_t self:process setrlimit;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow ceph_t sudo_exec_t:file map;
allow ceph_t sudo_exec_t:file { execute execute_no_trans open read };
</pre>