Daniel J Walsh dwalsh@redhat.com writes:

Did you see avc messages in /var/log/audit/audit.log?

I see quite a few avc messages. If you want I can mail or bz the whole file or just the avc lines.

# wc audit.log 8996 144947 1946140 audit.log # grep avc: audit.log | wc 2614 40929 585751 #

I run nfs4 and postfix with delivery into ~username/Mailbox. Maybe this isn't a heavily tested configuration.

-wolfgang

Daniel J Walsh wrote:

Wolfgang S. Rupprecht wrote:

...

Skunk Worx skunkworx@verizon.net writes:

...

Seems like some F7 machines that sit for awhile do this.

# yum clean all Loading "installonlyn" plugin rpmdb: Lock table is out of available locker entries rpmdb: Unknown locker ID: 912 error: db4 error(22) from db->close: Invalid argument error: cannot open Packages index using db3 - Cannot allocate memory (12) error: cannot open Packages database in /var/lib/rpm

Turn selinux off (not just permissive but disabled), reboot and the problem will go away.

I found that yum/rpm would lock up within a day if I had selinux set to permissive. With it is disabled completely the problem appears gone, even after many days uptime.

-wolfgang

Did you see avc messages in /var/log/audit/audit.log?

I don't see anything that looks like yum or rpm related, my log is much smaller.

For now I am staying with enforcing unless I have to change, I don't mind doing some testing with this email machine.

Note : tried init 1, init 3 but it's not enough

appears to require a reboot.

--- John

Wolfgang S. Rupprecht wrote:

Skunk Worx skunkworx@verizon.net writes:

...

Daniel J Walsh wrote:

...

Did you see avc messages in /var/log/audit/audit.log?

I don't see anything that looks like yum or rpm related, my log is much smaller.

One thing that stands out (by virtue of having the word "lock" in it ;-)) is the postfix mailbox locking. It might not be anything, since I'm not really sure which needle in this haystack I'm looking for.

# grep -i lock audit.log | grep -v clock_device | tail type=AVC msg=audit(1181331871.161:339): avc: denied { remove_name } for pid=11667 comm="local" name="Mailbox.lock" dev=dm-0 ino=70551655 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1181331871.161:339): avc: denied { unlink } for pid=11667 comm="local" name="Mailbox.lock" dev=dm-0 ino=70551655 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1181333061.829:345): avc: denied { add_name } for pid=11835 comm="local" name="Mailbox.lock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1181333064.210:346): avc: denied { remove_name } for pid=11835 comm="local" name="Mailbox.lock" dev=dm-0 ino=71697052 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1181333216.630:357): avc: denied { add_name } for pid=11861 comm="local" name="Mailbox.lock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1181333217.129:358): avc: denied { remove_name } for pid=11861 comm="local" name="Mailbox.lock" dev=dm-0 ino=70551655 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1181336644.216:383): avc: denied { add_name } for pid=12469 comm="local" name="Mailbox.lock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1181336644.216:383): avc: denied { create } for pid=12469 comm="local" name="Mailbox.lock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=AVC msg=audit(1181336644.225:384): avc: denied { remove_name } for pid=12469 comm="local" name="Mailbox.lock" dev=dm-0 ino=70551655 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1181336644.225:384): avc: denied { unlink } for pid=12469 comm="local" name="Mailbox.lock" dev=dm-0 ino=70551655 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file

-wolfgang

This looks like you have postfix attempting to create a file (Mailbox.lock) in the / directory?

Wolfgang S. Rupprecht wrote:

Daniel J Walsh dwalsh@redhat.com writes:

...

This looks like you have postfix attempting to create a file (Mailbox.lock) in the / directory?

I don't see any /Mailbox, but my selinux contexts may be wrong on the user's home directories. They seem to also be "root:object_r:root_t:s0". I copied the home's for f7 from the old fc6 disk using the standard tar pipe. That seems to have mashed things.

tar -c /fc6 -cf - u | tar -C / -xf -

# ll -a --lcontext /u total 120 drwxr-xr-x 14 root:object_r:root_t:s0 root root 4096 2007-06-08 16:37 . drwxr-xr-x 30 system_u:object_r:root_t:s0 root root 4096 2007-06-18 08:59 .. drwxr-xr-x 86 root:object_r:root_t:s0 alison alison 4096 2007-06-08 11:02 alison drwxr-xr-x 2 root:object_r:root_t:s0 root root 4096 2006-11-30 10:51 CVS drwxr-xr-x 35 root:object_r:root_t:s0 cvs staff 4096 2006-11-21 12:52 cvsroot drwxr-xr-x 24 root:object_r:root_t:s0 wolfgang staff 4096 2000-08-29 11:22 gps drwxr-xr-x 3 root:object_r:root_t:s0 laine laine 4096 2006-10-26 15:15 laine drwxr-xr-x 3 root:object_r:root_t:s0 marc marc 4096 2006-10-26 15:15 marc drwxrwxr-x 22 root:object_r:root_t:s0 root wheel 4096 2007-06-15 10:35 src drwxr-xr-x 273 root:object_r:root_t:s0 wolfgang wolfgang 12288 2007-06-18 09:04 wolfgang drwxrwxr-x 17 root:object_r:root_t:s0 root wsrcc 4096 2007-04-04 08:34 www

The /home directory is an automount point that mounts the /u/<username> directory from a main server. This allows the familiar /home for homes.

-wolfgang

restorecon -R -v /root

Wolfgang S. Rupprecht wrote:

Daniel J Walsh dwalsh@redhat.com writes:

...

Wolfgang S. Rupprecht wrote:

...

# ll -a --lcontext /u total 120 drwxr-xr-x 14 root:object_r:root_t:s0 root root 4096 2007-06-08 16:37 . drwxr-xr-x 30 system_u:object_r:root_t:s0 root root 4096 2007-06-18 08:59 .. drwxr-xr-x 86 root:object_r:root_t:s0 alison alison 4096 2007-06-08 11:02 alison drwxr-xr-x 2 root:object_r:root_t:s0 root root 4096 2006-11-30 10:51 CVS drwxr-xr-x 35 root:object_r:root_t:s0 cvs staff 4096 2006-11-21 12:52 cvsroot drwxr-xr-x 24 root:object_r:root_t:s0 wolfgang staff 4096 2000-08-29 11:22 gps drwxr-xr-x 3 root:object_r:root_t:s0 laine laine 4096 2006-10-26 15:15 laine drwxr-xr-x 3 root:object_r:root_t:s0 marc marc 4096 2006-10-26 15:15 marc drwxrwxr-x 22 root:object_r:root_t:s0 root wheel 4096 2007-06-15 10:35 src drwxr-xr-x 273 root:object_r:root_t:s0 wolfgang wolfgang 12288 2007-06-18 09:04 wolfgang drwxrwxr-x 17 root:object_r:root_t:s0 root wsrcc 4096 2007-04-04 08:34 www

restorecon -R -v /root

Its the user's directories located in /u (instead of /home) that need the restorecon. (The /home directory is automounted.) I suspect I need to copy something in restorecon's database so that it knows that /u contains home directories.

The underlying problem with the rpm db locks failing after a few hours of uptime is what concerns me more. It seemed to be selinux related since turning off selinux fixed the lock leakage.

-wolfgang

semanage fcontext -a -t home_root_t /u semanage fcontext -a -t user_home_dir_t -f-d /u/[^/]* semanage fcontext -a -t user_home_t /u/[^/]*/.+

should clean that up

Yes if the rpm problem happens in permissive mode it should be reported as a bug to rpm.