Bug 1812899
| Summary: | AVCs "sys_resource" and "sys_admin" seen while executing various services | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.1 | CC: | lvrabec, mmalik, plautrba, qguo, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-20 10:00:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
SELinux denials which contain { sys_resource } usually appear on machines which have not enough memory or which are heavily CPU utilized. Is this true in the customer environment?
Seen multiple times in our test tiers today:
----
type=PROCTITLE msg=audit(03/11/2020 19:45:37.619:24109) : proctitle=nginx: master process /usr/sbin/nginx
type=SYSCALL msg=audit(03/11/2020 19:45:37.619:24109) : arch=aarch64 syscall=sendmsg success=no exit=ETOOMANYREFS(Too many references: cannot splice) a0=0x3b a1=0xffffd078ca18 a2=0x0 a3=0xffff9e514000 items=0 ppid=1 pid=151751 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(03/11/2020 19:45:37.619:24109) : avc: denied { sys_admin } for pid=151751 comm=nginx capability=sys_admin scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(03/11/2020 19:45:37.619:24109) : avc: denied { sys_resource } for pid=151751 comm=nginx capability=sys_resource scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
----
aarch64 machines seem to be slow in comparison to other architectures.
ETOOMANYREFS
This error can occur for sendmsg(2) when sending a file
descriptor as ancillary data over a UNIX domain socket (see
the description of SCM_RIGHTS, above). It occurs if the
number of "in-flight" file descriptors exceeds the
RLIMIT_NOFILE resource limit and the caller does not have the
CAP_SYS_RESOURCE capability. An in-flight file descriptor is
one that has been sent using sendmsg(2) but has not yet been
accepted in the recipient process using recvmsg(2).
This error is diagnosed since mainline Linux 4.5 (and in some
earlier kernel versions where the fix has been backported).
In earlier kernel versions, it was possible to place an
unlimited number of file descriptors in flight, by sending
each file descriptor with sendmsg(2) and then closing the file
descriptor so that it was not accounted against the
RLIMIT_NOFILE resource limit.
Does setting a higher limit of open files in customer environment help?
Thanks Milos, Will check customer's environment but I doubt it's similar for reasons below: - it affects pipe() and pipe() doesn't fail here - it's 100% reproducible with man-db-cache-update.service - there is no load at all on the system Please ignore previous comment. Entered by mistake. Closing this BZ as NOTABUG: system is actually running out of resources as indicated. See the attached knowledgebase article for more information. |
Description of problem: A customer is encountering "sys_resource" and/or "sys_admin" AVCs when executing the following services: plymouthd, rhnsd and mandb For mandb, executed through "systemctl start man-db-cache-update.service", this happens when mandb process creates pipes to communicate with child process doing the mandb generation: strace: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 30124 08:41:57.069047 openat(AT_FDCWD, "/usr/share/man/man7/lvmreport.7.gz", O_RDONLY) = 5</usr/share/man/man7/lvmreport.7.gz> <0.000062> 30124 08:41:57.069197 pipe([6<pipe:[123644422]>, 7<pipe:[123644422]>]) = 0 <0.000101> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- AVCs: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- time->Tue Mar 10 08:41:57 2020 type=PROCTITLE msg=audit(1583826117.068:120523): proctitle=2F7573722F62696E2F6D616E6462002D71 type=SYSCALL msg=audit(1583826117.068:120523): arch=c000003e syscall=22 success=yes exit=0 a0=7ffc97533098 a1=561fcf5cecf0 a2=0 a3=0 items=0 ppid=30123 pid=30124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mandb" exe="/usr/bin/mandb" subj=system_u:system_r:mandb_t:s0 key=(null) type=AVC msg=audit(1583826117.068:120523): avc: denied { sys_admin } for pid=30124 comm="mandb" capability=21 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1583826117.068:120523): avc: denied { sys_resource } for pid=30124 comm="mandb" capability=24 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Analysis of the system showed nothing special (no 3rd party module, etc). Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.3-20.el8.noarch How reproducible: Always on customer's site, never on my systems