RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1812899 - AVCs "sys_resource" and "sys_admin" seen while executing various services
Summary: AVCs "sys_resource" and "sys_admin" seen while executing various services
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-12 13:19 UTC by Renaud Métrich
Modified: 2023-09-07 22:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-20 10:00:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4914651 0 None None None 2020-03-19 10:35:07 UTC

Description Renaud Métrich 2020-03-12 13:19:26 UTC 
Description of problem:

A customer is encountering "sys_resource" and/or "sys_admin" AVCs when executing the following services: plymouthd, rhnsd and mandb

For mandb, executed through "systemctl start man-db-cache-update.service", this happens when mandb process creates pipes to communicate with child process doing the mandb generation:

strace:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
30124 08:41:57.069047 openat(AT_FDCWD, "/usr/share/man/man7/lvmreport.7.gz", O_RDONLY) = 5</usr/share/man/man7/lvmreport.7.gz> <0.000062>
30124 08:41:57.069197 pipe([6<pipe:[123644422]>, 7<pipe:[123644422]>]) = 0 <0.000101>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

AVCs:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
time->Tue Mar 10 08:41:57 2020
type=PROCTITLE msg=audit(1583826117.068:120523): proctitle=2F7573722F62696E2F6D616E6462002D71
type=SYSCALL msg=audit(1583826117.068:120523): arch=c000003e syscall=22 success=yes exit=0 a0=7ffc97533098 a1=561fcf5cecf0 a2=0 a3=0 items=0 ppid=30123 pid=30124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mandb" exe="/usr/bin/mandb" subj=system_u:system_r:mandb_t:s0 key=(null)
type=AVC msg=audit(1583826117.068:120523): avc:  denied  { sys_admin } for  pid=30124 comm="mandb" capability=21  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583826117.068:120523): avc:  denied  { sys_resource } for  pid=30124 comm="mandb" capability=24  scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:system_r:mandb_t:s0 tclass=capability permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Analysis of the system showed nothing special (no 3rd party module, etc).


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-20.el8.noarch


How reproducible:

Always on customer's site, never on my systems
Comment 1 Milos Malik 2020-03-12 17:27:42 UTC 
SELinux denials which contain { sys_resource } usually appear on machines which have not enough memory or which are heavily CPU utilized. Is this true in the customer environment?
Comment 2 Milos Malik 2020-03-12 19:28:47 UTC 
Seen multiple times in our test tiers today:
----
type=PROCTITLE msg=audit(03/11/2020 19:45:37.619:24109) : proctitle=nginx: master process /usr/sbin/nginx 
type=SYSCALL msg=audit(03/11/2020 19:45:37.619:24109) : arch=aarch64 syscall=sendmsg success=no exit=ETOOMANYREFS(Too many references: cannot splice) a0=0x3b a1=0xffffd078ca18 a2=0x0 a3=0xffff9e514000 items=0 ppid=1 pid=151751 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(03/11/2020 19:45:37.619:24109) : avc:  denied  { sys_admin } for  pid=151751 comm=nginx capability=sys_admin  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(03/11/2020 19:45:37.619:24109) : avc:  denied  { sys_resource } for  pid=151751 comm=nginx capability=sys_resource  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 
----

aarch64 machines seem to be slow in comparison to other architectures.
Comment 3 Milos Malik 2020-03-12 19:40:35 UTC 
       ETOOMANYREFS
              This error can occur for sendmsg(2) when sending a file
              descriptor as ancillary data over a UNIX domain socket (see
              the description of SCM_RIGHTS, above).  It occurs if the
              number of "in-flight" file descriptors exceeds the
              RLIMIT_NOFILE resource limit and the caller does not have the
              CAP_SYS_RESOURCE capability.  An in-flight file descriptor is
              one that has been sent using sendmsg(2) but has not yet been
              accepted in the recipient process using recvmsg(2).

              This error is diagnosed since mainline Linux 4.5 (and in some
              earlier kernel versions where the fix has been backported).
              In earlier kernel versions, it was possible to place an
              unlimited number of file descriptors in flight, by sending
              each file descriptor with sendmsg(2) and then closing the file
              descriptor so that it was not accounted against the
              RLIMIT_NOFILE resource limit.

Does setting a higher limit of open files in customer environment help?
Comment 4 Renaud Métrich 2020-03-13 06:40:59 UTC 
Thanks Milos,

Will check customer's environment but I doubt it's similar for reasons below:
- it affects pipe() and pipe() doesn't fail here
- it's 100% reproducible with man-db-cache-update.service
- there is no load at all on the system
Comment 6 Milos Malik 2020-03-13 10:21:43 UTC 
https://patchwork.kernel.org/patch/11433589/
Comment 7 Milos Malik 2020-03-13 10:22:53 UTC 
Please ignore previous comment. Entered by mistake.
Comment 11 Zdenek Pytela 2020-04-20 10:00:20 UTC 
Closing this BZ as NOTABUG: system is actually running out of resources as indicated.

See the attached knowledgebase article for more information.
Note You need to log in before you can comment on or make changes to this bug.