On Wed, Sep 3, 2008 at 4:09 AM, James Morris
<jmorris(a)namei.org> wrote:
> On Tue, 2 Sep 2008, Tom London wrote:
>
>> I'm having some out-of-memory issues with latest kernels:
>>
https://bugzilla.redhat.com/show_bug.cgi?id=460848
>>
>> I've noticed that when this happens, I get audit and AVC spew.
>>
>> Appears that I get 'sys_rawio', 'sys_admin', and
'sys_resource' AVCs
>> for processes that are about to commit suicide.
>>
>> I have no idea what is causing these, and whether these are bugs (or
>> features ;)).
>>
>> Any ideas/wisdom welcome!
>
> This patch should fix it:
>
http://marc.info/?l=selinux&m=122039060813510&w=2
>
> --
> James Morris
> <jmorris(a)namei.org>
>
Thanks. I am already running (half of) that patch that fixes
security_context_to_sid_core(), and it indeed seems to fix the random
oom's.
However, I was asking about the (corner?) case where the system
legitimately needed to call the oom-killer. Do the above AVCs
('sys_rawio', 'sys_admin', and 'sys_resource') indicate an
issue?
They did not appear to interfere with the killing of the
processes......
The oom killer tests for those capabilities on potential target
processes as part of selecting which process to kill (processes that
have those capabilities are less likely to be killed by the oom killer).
We should likely use a special hook for those tests that uses the
_noaudit interfaces to avoid noise in the audit logs, similar to what
was done for vm_enough_memory.
--
Stephen Smalley
National Security Agency