Bug 467216
Summary: | avc: denied { sys_resource } when using ext4dev partitions | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Alexander Todorov <atodorov> |
Component: | kernel | Assignee: | Eric Sandeen <esandeen> |
Status: | CLOSED ERRATA | QA Contact: | Alexander Todorov <atodorov> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.3 | CC: | benl, dwalsh, dzickus, eparis, mcepl, rwheeler, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-20 20:10:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexander Todorov
2008-10-16 12:50:30 UTC
If suddenly every confined domain in the universe needs sys_resource, I think it is a kernel bug. Thanks, I sent a couple patches upstream which should delay the capable() tests as eparis suggested, so at least we only should get the denials when all else fails (i.e. we need the actually need the root space, and neither the uid nor the gid matches that for the reserved space...) http://marc.info/?l=linux-ext4&m=122488084212789&w=2 http://marc.info/?l=linux-ext4&m=122488090912882&w=2 Feel free to test :) Thanks, -Eric I've pushed them to the pending ext4 patch queue now as well. -Eric Put the patches into rawhide/F10 today. *** Bug 468683 has been marked as a duplicate of this bug. *** in kernel-2.6.18-122.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 with 2.6.18-122.el5 and a default install on ext4dev / I'm not seeing any selinux denials in the logs. Moving to VERIFED. For the record, a fix for this is now upstream as well: commit a996031c87e093017c0763326a08896a3a4817f4 Author: Eric Sandeen <sandeen> Date: Tue Oct 28 00:08:17 2008 -0400 delay capable() check in ext4_has_free_blocks() As reported by Eric Paris, the capable() check in ext4_has_free_blocks() sometimes causes SELinux denials. We can rearrange the logic so that we only try to use the root-reserved blocks when necessary, and even then we can move the capable() test to last, to avoid the check most of the time. Signed-off-by: Eric Sandeen <sandeen> Reviewed-by: Mingming Cao <cmm.com> Signed-off-by: "Theodore Ts'o" <tytso> An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-0225.html |