Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389917 - sec-policy/selinux-inetd lacks resource permissions
Summary: sec-policy/selinux-inetd lacks resource permissions
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-09 00:31 UTC by Stan Sander
Modified: 2011-12-20 18:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch to allow required capability (inetd.patch,661 bytes, patch)
2011-11-09 00:36 UTC, Stan Sander 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stan Sander 2011-11-09 00:31:57 UTC 
The selinux policy module for xinetd lacks the necessary permissions for the xinetd daemon to get and set appropriate resource limits during it's normal operation.  The attached patch to the policy module addresses this.

Reproducible: Always

Steps to Reproduce:
1.enable selinux strict policy 
2.load the inetd policy module 
3.when xinetd receives a connection and launches a child process daemon it is unable to check system resources and set appropriate limits
Actual Results:  
The following audit log entries:

Nov  8 08:23:19 xxxx kernel: type=1400 audit(1320765799.720:5654): avc:  denied  { sys_resource } for  pid=12851 comm="xinetd" capability=24  scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t tclass=capability
Nov  8 08:23:19 xxxx kernel: type=1400 audit(1320765799.720:5655): avc:  denied  { setrlimit } for  pid=12851 comm="xinetd" scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t tclass=process

Expected Results:  
xinetd should have sys_resource and setrlimit capabilities
Comment 1 Stan Sander 2011-11-09 00:36:17 UTC 
Created attachment 291979 [details, diff]
Patch to allow required capability

The attached patch supplies the needed capability
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-11 14:56:53 UTC 
Confirmed on setrlimit: if xinetd is build with PAM support, it needs to support pam_limits which is used to set resource limits.

Still trying to figure out if sys_resource capability is the same.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-11 14:58:50 UTC 
Yup, seems like CAP_SYS_RESOURCE is needed when you want to call setrlimit.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-12 21:19:05 UTC 
In hardened-dev overlay
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-15 10:52:34 UTC 
Moved to main portage tree, ~arch'ed.
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-20 18:52:43 UTC 
Stabilized