Bug 1812899 - AVCs "sys_resource" and "sys_admin" seen while executing various services
Summary: AVCs "sys_resource" and "sys_admin" seen while executing various services
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-12 13:19 UTC by Renaud Métrich
Modified: 2021-04-07 16:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-04-20 10:00:20 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4914651 0 None None None 2020-03-19 10:35:07 UTC

Description Renaud Métrich 2020-03-12 13:19:26 UTC
Description of problem:

A customer is encountering "sys_resource" and/or "sys_admin" AVCs when executing the following services: plymouthd, rhnsd and mandb

For mandb, executed through "systemctl start man-db-cache-update.service", this happens when mandb process creates pipes to communicate with child process doing the mandb generation:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
30124 08:41:57.069047 openat(AT_FDCWD, "/usr/share/man/man7/lvmreport.7.gz", O_RDONLY) = 5</usr/share/man/man7/lvmreport.7.gz> <0.000062>
30124 08:41:57.069197 pipe([6<pipe:[123644422]>, 7<pipe:[123644422]>]) = 0 <0.000101>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
time->Tue Mar 10 08:41:57 2020
type=PROCTITLE msg=audit(1583826117.068:120523): proctitle=2F7573722F62696E2F6D616E6462002D71
type=SYSCALL msg=audit(1583826117.068:120523): arch=c000003e syscall=22 success=yes exit=0 a0=7ffc97533098 a1=561fcf5cecf0 a2=0 a3=0 items=0 ppid=30123 pid=30124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mandb" exe="/usr/bin/mandb" subj=system_u:system_r:mandb_t:s0 key=(null)
type=AVC msg=audit(1583826117.068:120523): avc:  denied  { sys_admin } for  pid=30124 comm="mandb" capability=21  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583826117.068:120523): avc:  denied  { sys_resource } for  pid=30124 comm="mandb" capability=24  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Analysis of the system showed nothing special (no 3rd party module, etc).

Version-Release number of selected component (if applicable):


How reproducible:

Always on customer's site, never on my systems

Comment 1 Milos Malik 2020-03-12 17:27:42 UTC
SELinux denials which contain { sys_resource } usually appear on machines which have not enough memory or which are heavily CPU utilized. Is this true in the customer environment?

Comment 2 Milos Malik 2020-03-12 19:28:47 UTC
Seen multiple times in our test tiers today:
type=PROCTITLE msg=audit(03/11/2020 19:45:37.619:24109) : proctitle=nginx: master process /usr/sbin/nginx 
type=SYSCALL msg=audit(03/11/2020 19:45:37.619:24109) : arch=aarch64 syscall=sendmsg success=no exit=ETOOMANYREFS(Too many references: cannot splice) a0=0x3b a1=0xffffd078ca18 a2=0x0 a3=0xffff9e514000 items=0 ppid=1 pid=151751 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(03/11/2020 19:45:37.619:24109) : avc:  denied  { sys_admin } for  pid=151751 comm=nginx capability=sys_admin  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(03/11/2020 19:45:37.619:24109) : avc:  denied  { sys_resource } for  pid=151751 comm=nginx capability=sys_resource  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 

aarch64 machines seem to be slow in comparison to other architectures.

Comment 3 Milos Malik 2020-03-12 19:40:35 UTC
              This error can occur for sendmsg(2) when sending a file
              descriptor as ancillary data over a UNIX domain socket (see
              the description of SCM_RIGHTS, above).  It occurs if the
              number of "in-flight" file descriptors exceeds the
              RLIMIT_NOFILE resource limit and the caller does not have the
              CAP_SYS_RESOURCE capability.  An in-flight file descriptor is
              one that has been sent using sendmsg(2) but has not yet been
              accepted in the recipient process using recvmsg(2).

              This error is diagnosed since mainline Linux 4.5 (and in some
              earlier kernel versions where the fix has been backported).
              In earlier kernel versions, it was possible to place an
              unlimited number of file descriptors in flight, by sending
              each file descriptor with sendmsg(2) and then closing the file
              descriptor so that it was not accounted against the
              RLIMIT_NOFILE resource limit.

Does setting a higher limit of open files in customer environment help?

Comment 4 Renaud Métrich 2020-03-13 06:40:59 UTC
Thanks Milos,

Will check customer's environment but I doubt it's similar for reasons below:
- it affects pipe() and pipe() doesn't fail here
- it's 100% reproducible with man-db-cache-update.service
- there is no load at all on the system

Comment 6 Milos Malik 2020-03-13 10:21:43 UTC

Comment 7 Milos Malik 2020-03-13 10:22:53 UTC
Please ignore previous comment. Entered by mistake.

Comment 11 Zdenek Pytela 2020-04-20 10:00:20 UTC
Closing this BZ as NOTABUG: system is actually running out of resources as indicated.

See the attached knowledgebase article for more information.

Note You need to log in before you can comment on or make changes to this bug.