FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-02-2008, 07:52 PM
"Tom London"
 
Default AVCs generated by oom actions....

I'm having some out-of-memory issues with latest kernels:
https://bugzilla.redhat.com/show_bug.cgi?id=460848

I've noticed that when this happens, I get audit and AVC spew.

Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
for processes that are about to commit suicide.

I have no idea what is causing these, and whether these are bugs (or
features ).

Any ideas/wisdom welcome!

tom

[root@tlondon ~]# audit2allow -i oom-audit.txt


#============= NetworkManager_t ==============
allow NetworkManager_t self:capability { sys_rawio sys_admin sys_resource };

#============= audisp_t ==============
allow audisp_t self:capability { sys_rawio sys_admin sys_resource };

#============= auditd_t ==============
allow auditd_t self:capability { sys_rawio sys_admin };

#============= bluetooth_t ==============
allow bluetooth_t self:capability { sys_rawio sys_admin sys_resource };

#============= consolekit_t ==============
allow consolekit_t self:capability { sys_rawio sys_admin sys_resource };

#============= dhcpc_t ==============
allow dhcpc_t self:capability { sys_rawio sys_admin };

#============= getty_t ==============
allow getty_t self:capability sys_rawio;

#============= kerneloops_t ==============
allow kerneloops_t self:capability { sys_rawio sys_admin sys_resource };

#============= restorecond_t ==============
allow restorecond_t self:capability { sys_rawio sys_admin sys_resource };

#============= rpcd_t ==============
allow rpcd_t self:capability { sys_rawio sys_admin sys_resource };

#============= sendmail_t ==============
allow sendmail_t self:capability { sys_rawio sys_admin sys_resource };

#============= setroubleshootd_t ==============
allow setroubleshootd_t self:capability { sys_rawio sys_admin sys_resource };

#============= sshd_t ==============
allow sshd_t self:capability { sys_rawio sys_admin };

#============= syslogd_t ==============
allow syslogd_t self:capability sys_rawio;

#============= unconfined_mono_t ==============
allow unconfined_mono_t selfrocess execstack;

#============= xdm_t ==============
allow xdm_t self:capability sys_admin;
[root@tlondon ~]#

--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-03-2008, 11:09 AM
James Morris
 
Default AVCs generated by oom actions....

On Tue, 2 Sep 2008, Tom London wrote:

> I'm having some out-of-memory issues with latest kernels:
> https://bugzilla.redhat.com/show_bug.cgi?id=460848
>
> I've noticed that when this happens, I get audit and AVC spew.
>
> Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
> for processes that are about to commit suicide.
>
> I have no idea what is causing these, and whether these are bugs (or
> features ).
>
> Any ideas/wisdom welcome!

This patch should fix it:
http://marc.info/?l=selinux&m=122039060813510&w=2

--
James Morris
<jmorris@namei.org>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-03-2008, 01:40 PM
"Tom London"
 
Default AVCs generated by oom actions....

On Wed, Sep 3, 2008 at 4:09 AM, James Morris <jmorris@namei.org> wrote:
> On Tue, 2 Sep 2008, Tom London wrote:
>
>> I'm having some out-of-memory issues with latest kernels:
>> https://bugzilla.redhat.com/show_bug.cgi?id=460848
>>
>> I've noticed that when this happens, I get audit and AVC spew.
>>
>> Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
>> for processes that are about to commit suicide.
>>
>> I have no idea what is causing these, and whether these are bugs (or
>> features ).
>>
>> Any ideas/wisdom welcome!
>
> This patch should fix it:
> http://marc.info/?l=selinux&m=122039060813510&w=2
>
> --
> James Morris
> <jmorris@namei.org>
>
Thanks. I am already running (half of) that patch that fixes
security_context_to_sid_core(), and it indeed seems to fix the random
oom's.

However, I was asking about the (corner?) case where the system
legitimately needed to call the oom-killer. Do the above AVCs
('sys_rawio', 'sys_admin', and 'sys_resource') indicate an issue?
They did not appear to interfere with the killing of the
processes......

tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-03-2008, 01:53 PM
Stephen Smalley
 
Default AVCs generated by oom actions....

On Wed, 2008-09-03 at 06:40 -0700, Tom London wrote:
> On Wed, Sep 3, 2008 at 4:09 AM, James Morris <jmorris@namei.org> wrote:
> > On Tue, 2 Sep 2008, Tom London wrote:
> >
> >> I'm having some out-of-memory issues with latest kernels:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=460848
> >>
> >> I've noticed that when this happens, I get audit and AVC spew.
> >>
> >> Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
> >> for processes that are about to commit suicide.
> >>
> >> I have no idea what is causing these, and whether these are bugs (or
> >> features ).
> >>
> >> Any ideas/wisdom welcome!
> >
> > This patch should fix it:
> > http://marc.info/?l=selinux&m=122039060813510&w=2
> >
> > --
> > James Morris
> > <jmorris@namei.org>
> >
> Thanks. I am already running (half of) that patch that fixes
> security_context_to_sid_core(), and it indeed seems to fix the random
> oom's.
>
> However, I was asking about the (corner?) case where the system
> legitimately needed to call the oom-killer. Do the above AVCs
> ('sys_rawio', 'sys_admin', and 'sys_resource') indicate an issue?
> They did not appear to interfere with the killing of the
> processes......

The oom killer tests for those capabilities on potential target
processes as part of selecting which process to kill (processes that
have those capabilities are less likely to be killed by the oom killer).

We should likely use a special hook for those tests that uses the
_noaudit interfaces to avoid noise in the audit logs, similar to what
was done for vm_enough_memory.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org