I'm having some out-of-memory issues with latest kernels:
https://bugzilla.redhat.com/show_bug.cgi?id=460848
I've noticed that when this happens, I get audit and AVC spew.
Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource'
AVCs
for processes that are about to commit suicide.
I have no idea what is causing these, and whether these are bugs (or
features ;)).
Any ideas/wisdom welcome!
tom
[root@tlondon ~]# audit2allow -i oom-audit.txt
#============= NetworkManager_t ==============
allow NetworkManager_t self:capability { sys_rawio sys_admin sys_resource };
#============= audisp_t ==============
allow audisp_t self:capability { sys_rawio sys_admin sys_resource };
#============= auditd_t ==============
allow auditd_t self:capability { sys_rawio sys_admin };
#============= bluetooth_t ==============
allow bluetooth_t self:capability { sys_rawio sys_admin sys_resource };
#============= consolekit_t ==============
allow consolekit_t self:capability { sys_rawio sys_admin sys_resource };
#============= dhcpc_t ==============
allow dhcpc_t self:capability { sys_rawio sys_admin };
#============= getty_t ==============
allow getty_t self:capability sys_rawio;
#============= kerneloops_t ==============
allow kerneloops_t self:capability { sys_rawio sys_admin sys_resource };
#============= restorecond_t ==============
allow restorecond_t self:capability { sys_rawio sys_admin sys_resource };
#============= rpcd_t ==============
allow rpcd_t self:capability { sys_rawio sys_admin sys_resource };
#============= sendmail_t ==============
allow sendmail_t self:capability { sys_rawio sys_admin sys_resource };
#============= setroubleshootd_t ==============
allow setroubleshootd_t self:capability { sys_rawio sys_admin sys_resource };
#============= sshd_t ==============
allow sshd_t self:capability { sys_rawio sys_admin };
#============= syslogd_t ==============
allow syslogd_t self:capability sys_rawio;
#============= unconfined_mono_t ==============
allow unconfined_mono_t self:process execstack;
#============= xdm_t ==============
allow xdm_t self:capability sys_admin;
[root@tlondon ~]#
--
Tom London