AVCs generated by oom actions....
Stephen Smalley
sds at tycho.nsa.gov
Wed Sep 3 13:53:01 UTC 2008
On Wed, 2008-09-03 at 06:40 -0700, Tom London wrote:
> On Wed, Sep 3, 2008 at 4:09 AM, James Morris <jmorris at namei.org> wrote:
> > On Tue, 2 Sep 2008, Tom London wrote:
> >
> >> I'm having some out-of-memory issues with latest kernels:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=460848
> >>
> >> I've noticed that when this happens, I get audit and AVC spew.
> >>
> >> Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
> >> for processes that are about to commit suicide.
> >>
> >> I have no idea what is causing these, and whether these are bugs (or
> >> features ;)).
> >>
> >> Any ideas/wisdom welcome!
> >
> > This patch should fix it:
> > http://marc.info/?l=selinux&m=122039060813510&w=2
> >
> > --
> > James Morris
> > <jmorris at namei.org>
> >
> Thanks. I am already running (half of) that patch that fixes
> security_context_to_sid_core(), and it indeed seems to fix the random
> oom's.
>
> However, I was asking about the (corner?) case where the system
> legitimately needed to call the oom-killer. Do the above AVCs
> ('sys_rawio', 'sys_admin', and 'sys_resource') indicate an issue?
> They did not appear to interfere with the killing of the
> processes......
The oom killer tests for those capabilities on potential target
processes as part of selecting which process to kill (processes that
have those capabilities are less likely to be killed by the oom killer).
We should likely use a special hook for those tests that uses the
_noaudit interfaces to avoid noise in the audit logs, similar to what
was done for vm_enough_memory.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list