sealert
Daniel J Walsh
dwalsh at redhat.com
Fri Dec 14 13:36:06 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/13/2012 09:35 AM, m.roth at 5-cent.us wrote:
> Current CentOS 6.3
>
> I get this. / is only 54%.
>
> SELinux is preventing /usr/bin/perl from using the sys_resource
> capability.
>
> ***** Plugin sys_resource (91.4 confidence) suggests
> ***********************
>
> If you do not want to get this AVC any longer. These AVC's are caused by
> running out of resources, usually disk space on your / partition. Then you
> must cleanup diskspace or make sure you are not running too many
> processes. Do clear up your disk. <snip>
>
> Could someone at least FIX THE TEXT? I mean, it's junior high school, at
> most: sentence fragments, etc.
>
> Now, the real reason for the AVC is something I've yet to look into....
>
> mark, grammar ninja
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
The tools is generating these lines, based off snippets in the sys_resource
plugin in /usr/share/setroubleshoot/sys_resource.py Patches accepted.
sys_resource is basically what the kernel will report when you are gone over a
resource limit for a particular UID, and require the sys_resource capability
to continue. Could be file system, number of processes open file descriptors.
We see these happening more in a more for root processes and we have bugzillas
open for expanding the max numbers of processes for root, I think under RHEL,
but a quick google did not find it.
/usr/include/linux/capability.h has the following
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */
#define CAP_SYS_RESOURCE 24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDLK0YACgkQrlYvE4MpobMAhgCeKoJRvBjie9aV0I1j76xWIsru
0AUAn2UpeZbTuD+l7TdGO5U3+XGaJRey
=4IWy
-----END PGP SIGNATURE-----
More information about the selinux
mailing list