sealert

Daniel J Walsh dwalsh at redhat.com
Sat Dec 15 12:11:19 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/14/2012 09:25 AM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 12/13/2012 09:35 AM, m.roth at 5-cent.us wrote:
>>> Current CentOS 6.3
>>>
>>> I get this. / is only 54%.
>>>
>>> SELinux is preventing /usr/bin/perl from using the sys_resource
>>> capability.
>>>
>>> *****  Plugin sys_resource (91.4 confidence) suggests
>>> ***********************
> <snip>
>> sys_resource is basically what the kernel will report when you are gone
>> over a resource limit for a particular UID, and require the sys_resource
>> capability to continue.  Could be file system, number of processes open
> file
>> descriptors.
>>
>> We see these happening more in a more for root processes and we have
>> bugzillas open for expanding the max numbers of processes for root, I think
>> under RHEL, but a quick google did not find it.
> 
> Suddenly, as in the last few weeks to a month, possibly as updates were
> applied and new kernels run, I'm seeing a bunch of these.
> 
> On another system, I see in this morning's logs
>  --------------------- Selinux Audit Begin ------------------------
> 
>  **Unmatched Entries**
>   Audit daemon has no space left on logging partition
>   Audit daemon is suspending logging due to no space left on logging
> partition.
> 
>  ---------------------- Selinux Audit End -------------------------
> --------------------- Disk Space Begin ------------------------
> 
>  Filesystem            Size  Used Avail Use% Mounted on
>  /dev/sda3             914G  722G  146G  84% /
>  /dev/sda1            1008M  103M  855M  11% /boot
> 
>  ---------------------- Disk Space End -------------------------
> 
> However, I also see that a user was running R, and oom-killer was invoked.
> My suspicion is that it's *not* disk space that's run out, as the message
> suggests, but rather that the system ran out of memory, and the sealert
> gave the wrong information.
> 
> Your thoughts, Dan (or anyone)?
> 
>        mark
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 


How would this look.

*****  Plugin sys_resource (91.4 confidence) suggests  ***********************

If you do not want processes to require capabilities to use up all the system
resources on your system;
Then you need to diagnose why your system is running out of system resources and
fix the problem.

According to /usr/include/linux/capability.h is sys_resource is required to:

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Do
fix the cause of the SYS_RESOURCE on your system.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDMaOcACgkQrlYvE4MpobNy3ACfWqbKznDfacUUtQUnPv8HkFvU
n/gAnRsOCkmloboOKs5823CsoDpI2ILS
=4GMD
-----END PGP SIGNATURE-----

More information about the selinux mailing list