AVCs generated by oom actions....
Tom London
selinux at gmail.com
Tue Sep 2 19:52:46 UTC 2008
I'm having some out-of-memory issues with latest kernels:
https://bugzilla.redhat.com/show_bug.cgi?id=460848
I've noticed that when this happens, I get audit and AVC spew.
Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
for processes that are about to commit suicide.
I have no idea what is causing these, and whether these are bugs (or
features ;)).
Any ideas/wisdom welcome!
tom
[root at tlondon ~]# audit2allow -i oom-audit.txt
#============= NetworkManager_t ==============
allow NetworkManager_t self:capability { sys_rawio sys_admin sys_resource };
#============= audisp_t ==============
allow audisp_t self:capability { sys_rawio sys_admin sys_resource };
#============= auditd_t ==============
allow auditd_t self:capability { sys_rawio sys_admin };
#============= bluetooth_t ==============
allow bluetooth_t self:capability { sys_rawio sys_admin sys_resource };
#============= consolekit_t ==============
allow consolekit_t self:capability { sys_rawio sys_admin sys_resource };
#============= dhcpc_t ==============
allow dhcpc_t self:capability { sys_rawio sys_admin };
#============= getty_t ==============
allow getty_t self:capability sys_rawio;
#============= kerneloops_t ==============
allow kerneloops_t self:capability { sys_rawio sys_admin sys_resource };
#============= restorecond_t ==============
allow restorecond_t self:capability { sys_rawio sys_admin sys_resource };
#============= rpcd_t ==============
allow rpcd_t self:capability { sys_rawio sys_admin sys_resource };
#============= sendmail_t ==============
allow sendmail_t self:capability { sys_rawio sys_admin sys_resource };
#============= setroubleshootd_t ==============
allow setroubleshootd_t self:capability { sys_rawio sys_admin sys_resource };
#============= sshd_t ==============
allow sshd_t self:capability { sys_rawio sys_admin };
#============= syslogd_t ==============
allow syslogd_t self:capability sys_rawio;
#============= unconfined_mono_t ==============
allow unconfined_mono_t self:process execstack;
#============= xdm_t ==============
allow xdm_t self:capability sys_admin;
[root at tlondon ~]#
--
Tom London
More information about the selinux
mailing list