Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662738 - crond fails to set limit from limits.conf, with no audit trail, while SELinux is enforcing
Summary: crond fails to set limit from limits.conf, with no audit trail, while SELinux...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-03 18:18 UTC by Noah McNallie
Modified: 2023-04-29 13:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Noah McNallie 2018-08-03 18:18:34 UTC
After setting a limit in /etc/security/limits.conf for nofile 10240 for a user, while SELinux is in enforcing mode, crond gives this error:

Aug  3 14:12:01 vps cron[23229]: pam_limits(cron:session): Could not set limit for 'nofile': Operation not permitted
Aug  3 14:12:01 vps cron[23229]: Permission denied

If I setenforce 0 this error goes away.

I filed a bug because there is no audit denial along with the error that could be fixed by an intermediate user with audit2allow or such. Therefor it is difficult to fix without some background knowledge of the crond and the SELinux policy and state.


I figured someone might know those areas well and see this before I got myself too entangled in it.
Comment 1 Noah McNallie 2018-08-03 21:09:11 UTC
Hi. I was able to fix this issue by using `semodule -DB' which made all denials be shown.
Comment 2 Mira Ressel 2018-10-03 20:25:25 UTC
Yes, sometimes it'll happen that a denial is hidden due to dontaudit rules.

If you could report the permissions you had to add to fix this, we'll add them to our policy.