Bug 600391 - [RHEL6] Selinux AVC Denied messages
[RHEL6] Selinux AVC Denied messages
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
high Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
http://rhts.redhat.com/cgi-bin/rhts/t...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-04 11:44 EDT by Jeff Burke
Modified: 2012-10-15 11:18 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-24.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-13 16:56:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Burke 2010-06-04 11:44:53 EDT
Description of problem:
 While running kernel testing we received AVC Denied messages from a background task.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-21.el6 

How reproducible:
Frequently

Actual results:
Following messages were found in dmesg:
type=1400 audit(1275600473.315:167630): avc:  denied  { signal } for  pid=16651 comm="telinit" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=process
type=1400 audit(1275600473.315:167631): avc:  denied  { signal } for  pid=16651 comm="telinit" scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=process

Expected results:
Should not receive AVC messages under normal operation

Additional info:
Comment 2 Daniel Walsh 2010-06-04 17:14:28 EDT
Miroslav, please add this access and update policy to match F13.
Comment 3 RHEL Product and Program Management 2010-06-07 13:03:55 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 4 Miroslav Grepl 2010-06-10 02:37:00 EDT
Fixed in selinux-policy-3.7.19-24.el6.noarch
Comment 8 releng-rhel@redhat.com 2010-07-02 15:51:38 EDT
Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.
Comment 9 Jeff Burke 2010-07-12 10:45:21 EDT
selinux-policy-targeted-3.7.19-24.el6.noarch issue was still seen:


/bin/grep avc: /tmp/dmesg.log | /bin/grep --invert-match granted
Following messages were found in dmesg:

type=1400 audit(1278942725.447:288344): avc:  denied  { sys_admin } for  pid=18066 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.472:288345): avc:  denied  { sys_resource } for  pid=18066 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.509:288346): avc:  denied  { sys_admin } for  pid=18066 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.534:288347): avc:  denied  { sys_resource } for  pid=18066 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.577:288348): avc:  denied  { sys_admin } for  pid=18066 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.603:288349): avc:  denied  { sys_resource } for  pid=18066 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.638:288350): avc:  denied  { sys_admin } for  pid=18066 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.663:288351): avc:  denied  { sys_resource } for  pid=18066 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.704:288352): avc:  denied  { sys_admin } for  pid=18066 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942725.729:288353): avc:  denied  { sys_resource } for  pid=18066 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.482:288354): avc:  denied  { sys_admin } for  pid=18066 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.508:288355): avc:  denied  { sys_resource } for  pid=18066 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.537:288356): avc:  denied  { sys_admin } for  pid=21017 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.562:288357): avc:  denied  { sys_resource } for  pid=21017 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.591:288358): avc:  denied  { sys_admin } for  pid=21018 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.617:288359): avc:  denied  { sys_resource } for  pid=21018 comm="prelink" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.644:288360): avc:  denied  { sys_admin } for  pid=21018 comm="prelink" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.657:288361): avc:  denied  { sys_admin } for  pid=21019 comm="ldd" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.657:288362): avc:  denied  { sys_resource } for  pid=21019 comm="ldd" capability=24  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
type=1400 audit(1278942801.661:288363): avc:  denied  { sys_admin } for  pid=21019 comm="ldd" capability=21  scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tclass=capability
Comment 11 Daniel Walsh 2010-07-12 11:43:11 EDT
sys_resource/sys_admin usually means you are running out of space.
Comment 12 Jeff Burke 2010-07-12 12:04:58 EDT
At the time the test was running we had the following:

/dev/mapper/vg_intels3e3601-lv_root
                       50G  3.1G   44G   7% /
tmpfs                  32G     0   32G   0% /dev/shm
/dev/sda1             485M   65M  395M  15% /boot
/dev/mapper/vg_intels3e3601-lv_home
                      155G  188M  147G   1% /home
Comment 13 Daniel Walsh 2010-07-12 17:20:00 EDT
Well something filled the disk, or something strange happened.
Comment 14 Eric Paris 2010-07-12 21:52:38 EDT
        if (atomic_read(&p->real_cred->user->processes) >=
                        p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
                if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
                    p->real_cred->user != INIT_USER)
                        goto bad_fork_free;
        }


I'm betting you exceeded the maximum number of processes according to your system limits.

Note You need to log in before you can comment on or make changes to this bug.