View Issue Details

IDProjectCategoryView StatusLast Update
0017314CentOS-8numadpublic2020-04-30 15:23
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017314: SELinux is preventing /usr/bin/numad from using the sys_nice capability.
DescriptionI am running CentOS 8.1.1911 on a Dell PowerEdge R510 with two CPU's. One of the workloads is virtualization, and to automatically tune this a bit I'm running numad as well. Recently I noticed the following error showing up in the logs. While a workaround is possible, I think this shouldn't be blocked in the first place.

Error in the logs:
SELinux is preventing /usr/bin/numad from using the sys_nice capability. For complete SELinux messages run: sealert -l 8e82cfec-1556-450c-9769-d0b6bc0a703c

Output of sealert -l 8e82cfec-1556-450c-9769-d0b6bc0a703c:
$ sudo sealert -l 8e82cfec-1556-450c-9769-d0b6bc0a703c
SELinux is preventing /usr/bin/numad from using the sys_nice capability.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that numad should have the sys_nice capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'numad' --raw | audit2allow -M my-numad
# semodule -X 300 -i my-numad.pp

Additional Information:
Source Context system_u:system_r:numad_t:s0
Target Context system_u:system_r:numad_t:s0
Target Objects Unknown [ capability ]
Source numad
Source Path /usr/bin/numad
Port <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name
Platform Linux 4.18.0-147.8.1.el8_1.x86_64
                              #1 SMP Thu Apr 9 13:49:54 UTC 2020 x86_64 x86_64
Alert Count 28125
First Seen 2020-04-02 15:51:03 CEST
Last Seen 2020-04-30 17:11:42 CEST
Local ID 8e82cfec-1556-450c-9769-d0b6bc0a703c

Raw Audit Messages
type=AVC msg=audit(1588259502.750:562): avc: denied { sys_nice } for pid=4020 comm="numad" capability=23 scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=capability permissive=0

Hash: numad,numad_t,numad_t,capability,sys_nice
Tagsnuma, selinux


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-04-30 15:23 Xudonax New Issue
2020-04-30 15:23 Xudonax Tag Attached: numa
2020-04-30 15:23 Xudonax Tag Attached: selinux