Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 662738

Summary: crond fails to set limit from limits.conf, with no audit trail, while SELinux is enforcing
Product: Gentoo Linux Reporter: Noah McNallie <noah.mcnallie>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: UNCONFIRMED ---    
Severity: normal CC: kelvium
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Noah McNallie 2018-08-03 18:18:34 UTC 
After setting a limit in /etc/security/limits.conf for nofile 10240 for a user, while SELinux is in enforcing mode, crond gives this error:

Aug  3 14:12:01 vps cron[23229]: pam_limits(cron:session): Could not set limit for 'nofile': Operation not permitted
Aug  3 14:12:01 vps cron[23229]: Permission denied

If I setenforce 0 this error goes away.

I filed a bug because there is no audit denial along with the error that could be fixed by an intermediate user with audit2allow or such. Therefor it is difficult to fix without some background knowledge of the crond and the SELinux policy and state.


I figured someone might know those areas well and see this before I got myself too entangled in it.
Comment 1 Noah McNallie 2018-08-03 21:09:11 UTC 
Hi. I was able to fix this issue by using `semodule -DB' which made all denials be shown.
Comment 2 Mira Ressel 2018-10-03 20:25:25 UTC 
Yes, sometimes it'll happen that a denial is hidden due to dontaudit rules.

If you could report the permissions you had to add to fix this, we'll add them to our policy.