Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1192233 - SELinux is preventing /usr/bin/systemctl from using the sys_resource capability
Summary: SELinux is preventing /usr/bin/systemctl from using the sys_resource capability
Keywords:
Status: CLOSED DUPLICATE of bug 1184712
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-12 22:49 UTC by Michal Jaegermann
Modified: 2015-05-12 14:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-12 14:15:59 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
an output from sealert (4.52 KB, text/plain)
2015-02-12 22:49 UTC, Michal Jaegermann 		no flags Details
View All

Description Michal Jaegermann 2015-02-12 22:49:27 UTC 
Created attachment 991158 [details]
an output from sealert

Description of problem:

After an upgrade from F20 to F21 the following shows up in logs:

setroubleshoot: Plugin Exception restorecon_source
setroubleshoot: SELinux is preventing /usr/bin/systemctl from using the sys_resource capability. For complete SELinux messages. run sealert -l 45fe5a2c-7d1f-4c4a-8c52-cb5c35b58fcd
python: SELinux is preventing /usr/bin/systemctl from using the sys_resource capability.

That is followed by "***  Plugin sys_resource (91.4 confidence) suggests   ***" and the longwinded writeup (in logs!!!) which ends up with "Do fix the cause of the SYS_RESOURCE on your system" albeit not exactly how.  See below for more.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-105.1.fc21

How reproducible:
Hm ...  this is a freshly updated system.

Additional info:
An output from sealert attached.  A suggested there 'audit2allow' command produces .te file like this:

module mypol 1.0;

require {
	type prelink_cron_system_t;
	class capability sys_resource;
	class process setrlimit;
}

#============= prelink_cron_system_t ==============
allow prelink_cron_system_t self:capability sys_resource;
allow prelink_cron_system_t self:process setrlimit;
Comment 1 Benjamin Ariel Nava Martinez 2015-05-03 16:53:01 UTC 
I think this bug is a dupe of #1184712
Comment 2 Miroslav Grepl 2015-05-12 14:15:59 UTC 

*** This bug has been marked as a duplicate of bug 1184712 ***
Note You need to log in before you can comment on or make changes to this bug.