Bug 699655

Summary: /usr/libexec/postfix/master: avc: denied { sys_resource }
Product: Red Hat Enterprise Linux 6 Reporter: Michal Nowak <mnowak>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED WORKSFORME QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, eparis, mgrepl, ohudlick
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-26 01:04:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 767187, 846704    

Comment 1 Miroslav Grepl 2011-04-26 10:49:39 UTC 
Any chance a machine is running out of space?
Comment 2 Michal Nowak 2011-04-26 12:07:12 UTC 
Can't say for sure, the machine's instalation is gone; what I know is that those mainframes (virtualized) tend to have only 26 GB of disk space so it's not impossible to run out of space.
Comment 3 Daniel Walsh 2011-04-26 15:08:34 UTC 
Sys_resource means one of the following was hit.

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */


We do not usually allow confined applications to override resource constraints.
Comment 6 Daniel Walsh 2011-04-28 11:46:55 UTC 
If this is happening to lots of domains, it it a kernel issue.  These apps should not require sys_resource unless the system is running out of resources.  

I think there is a bug in s390x that is causing bogus sys_resource capability checks.

If you want to stop them, you can add policy that says

allow domain self:capability sys_resource;
Comment 7 RHEL Program Management 2011-10-07 15:32:16 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 9 RHEL Program Management 2012-05-03 04:53:33 UTC 
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 11 Linda Wang 2016-08-26 01:04:38 UTC 
It seems that the reported issue has not happened again, 
therefore, close this issue off as worksforme.