662738 – crond fails to set limit from limits.conf, with no audit trail, while SELinux is enforcing

Bug 662738 - crond fails to set limit from limits.conf, with no audit trail, while SELinux is enforcing

Summary: crond fails to set limit from limits.conf, with no audit trail, while SELinux...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-03 18:18 UTC by Noah McNallie
Modified:	2023-04-29 13:05 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Noah McNallie 2018-08-03 18:18:34 UTC

After setting a limit in /etc/security/limits.conf for nofile 10240 for a user, while SELinux is in enforcing mode, crond gives this error:

Aug  3 14:12:01 vps cron[23229]: pam_limits(cron:session): Could not set limit for 'nofile': Operation not permitted
Aug  3 14:12:01 vps cron[23229]: Permission denied

If I setenforce 0 this error goes away.

I filed a bug because there is no audit denial along with the error that could be fixed by an intermediate user with audit2allow or such. Therefor it is difficult to fix without some background knowledge of the crond and the SELinux policy and state.


I figured someone might know those areas well and see this before I got myself too entangled in it.

Comment 1 Noah McNallie 2018-08-03 21:09:11 UTC

Hi. I was able to fix this issue by using `semodule -DB' which made all denials be shown.

Comment 2 Mira Ressel 2018-10-03 20:25:25 UTC

Yes, sometimes it'll happen that a denial is hidden due to dontaudit rules.

If you could report the permissions you had to add to fix this, we'll add them to our policy.