Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Summary: SELinux is preventing irqbalance (irqbalance_t) "sys_resource" irqbalance_t. Detailed Description: SELinux denied access requested by irqbalance. It is not expected that this access is required by irqbalance and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:irqbalance_t:s0 Target Context system_u:system_r:irqbalance_t:s0 Target Objects None [ capability ] Source irqbalance Source Path <Unknown> Port <Unknown> Host christoper.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.5.13-54.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name christoper.localdomain Platform Linux christoper.localdomain 2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23 23:37:54 EDT 2009 i686 i686 Alert Count 2 First Seen Sat 04 Apr 2009 12:43:07 AM EDT Last Seen Tue 14 Apr 2009 09:15:38 PM EDT Local ID 8be9640f-0447-4e3f-9542-037590259867 Line Numbers Raw Audit Messages node=christoper.localdomain type=AVC msg=audit(1239758138.867:177): avc: denied { sys_resource } for pid=1704 comm="irqbalance" capability=24 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability
I'm not sure whats changed here but I'm fairly certain this is an selinux issue, given that irqbalance doesn't use capabilities. Reassigning
What file system are you using? I believe there was a bug in ext4 or btrfs which caused apps that are running as root to check the amount of space left on the disk causing this access check.
ok, so back to where all this started. irqbalance. What changed? The two most likely reasons irqbalance would start asking for this permission is if it started trying to use setrlimit to change it's limits or if it tried to adjust it's oom priority using the oom_adjust_write proc interface. Neil, are either of these the case?
Not that I can see. We don't need to use setrlimit for anything, nor oom_adjust_write. All irqbalance really does is read and write a bunch of proc and sysfs file to load balance interrupts in the system. And the last update to irqbalance in F-10 was december of 2008, so if this problem is recent, its not from a change to irqbalance (not that that means its necesecarily recent), I suppose this could have been a problem since dec.
do you have any other denials related to irqbalance? I'm interested in the output of ausearch -m AVC -se irqbalance_t Neil and I talked about what irqbalance is doing, and it shouldn't be hitting any of the code paths that require this permission....
just to put this out there (I don't know as much about selinux as I ought), but is it also possible (given the lack of reports from other systems on this), that irqbalance on this system has somehow been compromised and is trying to do something it otherwise wouldn't?
(In reply to comment #5) > do you have any other denials related to irqbalance? I'm interested in the > output of > > ausearch -m AVC -se irqbalance_t > > Neil and I talked about what irqbalance is doing, and it shouldn't be hitting > any of the code paths that require this permission.... Eric, there is another bug for irqbalance: https://bugzilla.redhat.com/show_bug.cgi?id=495836 node=christoper.localdomain type=AVC msg=audit(1239758138.867:178): avc: denied { sys_rawio } for pid=1704 comm="irqbalance" capability=17 scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=capability
*** Bug 495837 has been marked as a duplicate of this bug. ***
*** Bug 495836 has been marked as a duplicate of this bug. ***
*** Bug 495839 has been marked as a duplicate of this bug. ***
*** Bug 495841 has been marked as a duplicate of this bug. ***
*** Bug 495833 has been marked as a duplicate of this bug. ***
*** Bug 495829 has been marked as a duplicate of this bug. ***
*** Bug 495093 has been marked as a duplicate of this bug. ***
It looks like your machine went out of memory and was the cause of these wide spread selinux denials. The kernel oom killer decides what to kill when you run out of memory based in part on the capabilities of the running processes. In later kernels (2.6.28 or 2.6.29) I silenced these messages. Updating kernel should prevent them from being seen again, as would not running your machine out of memory. Sorry for the noise.