Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1172908
Summary: | SELinux is preventing dovecot from using the sys_resource capability. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bill Davidsen <davidsen> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 21 | CC: | davidsen, dominick.grift, dwalsh, janfrode, lvrabec, mgrepl, mhlavink, plautrba | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-105.3.fc21 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-02-15 03:29:19 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 834306 | ||||||
Attachments: |
|
Description
Bill Davidsen
2014-12-11 04:04:46 UTC
Could you attach AVCs (/var/log/audit/audit.log) ? Created attachment 968193 [details]
Dovecot entries from audit.log
I attach the dovecot entries, I will provide the whole log (I saved it) if needed.
Was the system running out of memory or process space at the time? sys_resource means that the process dovecot can ignore its limits on resources like process or open file descriptors. We usually see this type of thing when a system is being stressed. Unless the normal process of installing the mail components and starting them will exceed sane limits, no. This was initial setup for testing, installing enough system software to run as a normal desktop. This was either a VM configured as a remote access host (1GB RAM, 2GB swap, 6GB disk, running off SSD), or a laptop, 2GB RAM, otherwise ~200GB disk. Lets also ask dovecot maintainer. Dovecot uses setrlimit and changes it's limit (sometime increase, sometime decrease) to match it's needs and not waste too much (if something goes wrong). for example login process: static void main_preinit(bool allow_core_dumps) { ... ... /* set the number of fds we want to use. it may get increased or decreased. leave a couple of extra fds for auth sockets and such. worst case each connection can use: - 1 for client - 1 for login proxy - 2 for client-side ssl proxy - 2 for server-side ssl proxy (with login proxy) */ max_fds = MASTER_LISTEN_FD_FIRST + 16 + master_service_get_socket_count(master_service) + master_service_get_client_limit(master_service)*6; restrict_fd_limit(max_fds); ^^^ calls setrlimit(RLIMIT_NOFILE,... 7f66b60e21bac02dadbb71be1d305b44622db4f6 allows this in git. commit 8302ce68ee7c9b03a7d0958faf176da3a1cbbcec Author: Dan Walsh <dwalsh> Date: Sun Feb 1 08:03:23 2015 -0500 Allow dovecot domains to use sys_resouce selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21 Package selinux-policy-3.13.1-105.3.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |