sealert

Daniel J Walsh dwalsh at redhat.com
Fri Dec 14 13:36:06 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/13/2012 09:35 AM, m.roth at 5-cent.us wrote:
> Current CentOS 6.3
> 
> I get this. / is only 54%.
> 
> SELinux is preventing /usr/bin/perl from using the sys_resource
> capability.
> 
> *****  Plugin sys_resource (91.4 confidence) suggests 
> ***********************
> 
> If you do not want to get this AVC any longer. These AVC's are caused by 
> running out of resources, usually disk space on your / partition. Then you
> must cleanup diskspace or make sure you are not running too many 
> processes. Do clear up your disk. <snip>
> 
> Could someone at least FIX THE TEXT? I mean, it's junior high school, at 
> most: sentence fragments, etc.
> 
> Now, the real reason for the AVC is something I've yet to look into....
> 
> mark, grammar ninja
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

The tools is generating these lines, based off snippets in the sys_resource
plugin in /usr/share/setroubleshoot/sys_resource.py  Patches accepted.

sys_resource is basically what the kernel will report when you are gone over a
resource limit for a particular UID, and require the sys_resource capability
to continue.  Could be file system, number of processes open file descriptors.

We see these happening more in a more for root processes and we have bugzillas
open for expanding the max numbers of processes for root, I think under RHEL,
but a quick google did not find it.


/usr/include/linux/capability.h has the following

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

#define CAP_SYS_RESOURCE     24



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDLK0YACgkQrlYvE4MpobMAhgCeKoJRvBjie9aV0I1j76xWIsru
0AUAn2UpeZbTuD+l7TdGO5U3+XGaJRey
=4IWy
-----END PGP SIGNATURE-----

More information about the selinux mailing list