| Summary: | AVC produced during VM start/stop in a cluster | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jaroslav Kortus <jkortus> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.7 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-13 11:51:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
sys_resource usually means you are running out of a system resource that a non priv user would not be allowed to add. /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ |
Description of problem: time->Fri Jun 17 10:51:56 2011 type=SYSCALL msg=audit(1308325916.570:854): arch=c000003e syscall=18 success=yes exit=8192 a0=b a1=2aaaaaab0200 a2=2000 a3=336e5fa00 items=0 ppid=1 pid=17394 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c291,c554 key=(null) type=AVC msg=audit(1308325916.570:854): avc: denied { sys_resource } for pid=17394 comm="qemu-kvm" capability=24 scontext=system_u:system_r:svirt_t:s0:c291,c554 tcontext=system_u:system_r:svirt_t:s0:c291,c554 tclass=capability Version-Release number of selected component (if applicable): selinux-policy-2.4.6-312.el5 How reproducible: always Steps to Reproduce: 1. clusvcadm -R vm:virtmachine 2. 3. Actual results: AVC denial Expected results: no denial Additional info: the machine works even with this denial.