495835 – Summary: SELinux is preventing irqbalance (irqbalance_t) "sys_resource" irqbalance_t.

Bug 495835 - Summary: SELinux is preventing irqbalance (irqbalance_t) "sys_resource" irqbalance_t.

Summary: Summary: SELinux is preventing irqbalance (irqbalance_t) "sys_resource" irqb...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Eric Paris
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (7):	495093 495829 495833 495836 495837 495839 495841 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-04-15 02:25 UTC by cdlyon255
Modified:	2009-04-16 12:59 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-16 12:59:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description cdlyon255 2009-04-15 02:25:01 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Summary:

SELinux is preventing irqbalance (irqbalance_t) "sys_resource" irqbalance_t.

Detailed Description:

SELinux denied access requested by irqbalance. It is not expected that this
access is required by irqbalance and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:irqbalance_t:s0
Target Context                system_u:system_r:irqbalance_t:s0
Target Objects                None [ capability ]
Source                        irqbalance
Source Path                   <Unknown>
Port                          <Unknown>
Host                          christoper.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-54.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     christoper.localdomain
Platform                      Linux christoper.localdomain
                              2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23
                              23:37:54 EDT 2009 i686 i686
Alert Count                   2
First Seen                    Sat 04 Apr 2009 12:43:07 AM EDT
Last Seen                     Tue 14 Apr 2009 09:15:38 PM EDT
Local ID                      8be9640f-0447-4e3f-9542-037590259867
Line Numbers                  

Raw Audit Messages            

node=christoper.localdomain type=AVC msg=audit(1239758138.867:177): avc:  denied  { sys_resource } for  pid=1704 comm="irqbalance" capability=24 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability

Comment 1 Neil Horman 2009-04-15 10:38:40 UTC

I'm not sure whats changed  here but I'm fairly certain this is an selinux issue, given that irqbalance doesn't use capabilities.  Reassigning

Comment 2 Daniel Walsh 2009-04-15 12:23:22 UTC

What file system are you using?  I believe there was a bug in ext4 or btrfs which caused apps that are running as root to check the amount of space left on the disk causing this access check.

Comment 3 Eric Paris 2009-04-15 12:57:13 UTC

ok, so back to where all this started.   irqbalance.  What changed?  The two most likely reasons irqbalance would start asking for this permission is if it started trying to use setrlimit to change it's limits or if it tried to adjust it's oom priority using the oom_adjust_write proc interface.

Neil, are either of these the case?

Comment 4 Neil Horman 2009-04-15 13:28:02 UTC

Not that I can see.  We don't need to use setrlimit for anything, nor oom_adjust_write.  All irqbalance really does is read and write a bunch of proc and sysfs file to load balance interrupts in the system.  And the last update to irqbalance in F-10 was december of 2008, so if this problem is recent, its not from a change to irqbalance (not that that means its necesecarily recent), I suppose this could have been a problem since dec.

Comment 5 Eric Paris 2009-04-15 13:36:24 UTC

do you have any other denials related to irqbalance?  I'm interested in the output of 

ausearch -m AVC -se irqbalance_t

Neil and I talked about what irqbalance is doing, and it shouldn't be hitting any of the code paths that require this permission....

Comment 6 Neil Horman 2009-04-15 13:51:16 UTC

just to put this out there (I don't know as much about selinux as I ought), but is it also possible (given the lack of reports from other systems on this), that irqbalance on this system has somehow been compromised and is trying to do something it otherwise wouldn't?

Comment 7 Miroslav Grepl 2009-04-16 08:44:56 UTC

(In reply to comment #5)
> do you have any other denials related to irqbalance?  I'm interested in the
> output of 
> 
> ausearch -m AVC -se irqbalance_t
> 
> Neil and I talked about what irqbalance is doing, and it shouldn't be hitting
> any of the code paths that require this permission....  

Eric, 

there is another bug for irqbalance:

https://bugzilla.redhat.com/show_bug.cgi?id=495836


node=christoper.localdomain type=AVC msg=audit(1239758138.867:178): avc: 
denied  { sys_rawio } for  pid=1704 comm="irqbalance" capability=17
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability

Comment 8 Eric Paris 2009-04-16 12:42:17 UTC

*** Bug 495837 has been marked as a duplicate of this bug. ***

Comment 9 Eric Paris 2009-04-16 12:42:47 UTC

*** Bug 495836 has been marked as a duplicate of this bug. ***

Comment 10 Eric Paris 2009-04-16 12:43:26 UTC

*** Bug 495839 has been marked as a duplicate of this bug. ***

Comment 11 Eric Paris 2009-04-16 12:44:03 UTC

*** Bug 495841 has been marked as a duplicate of this bug. ***

Comment 12 Eric Paris 2009-04-16 12:45:39 UTC

*** Bug 495833 has been marked as a duplicate of this bug. ***

Comment 13 Eric Paris 2009-04-16 12:45:49 UTC

*** Bug 495829 has been marked as a duplicate of this bug. ***

Comment 14 Eric Paris 2009-04-16 12:46:04 UTC

*** Bug 495093 has been marked as a duplicate of this bug. ***

Comment 15 Eric Paris 2009-04-16 12:59:25 UTC

It looks like your machine went out of memory and was the cause of these wide spread selinux denials.  The kernel oom killer decides what to kill when you run out of memory based in part on the capabilities of the running processes.  In later kernels (2.6.28 or 2.6.29) I silenced these messages.  Updating kernel should prevent them from being seen again, as would not running your machine out of memory.  Sorry for the noise.

Note You need to log in before you can comment on or make changes to this bug.