This service will be undergoing maintenance at 03:30 UTC, 2016-05-27. It is expected to last about 2 hours
Bug 714215 - AVC produced during VM start/stop in a cluster
AVC produced during VM start/stop in a cluster
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-17 11:58 EDT by Jaroslav Kortus
Modified: 2012-06-13 07:51 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-13 07:51:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jaroslav Kortus 2011-06-17 11:58:26 EDT
Description of problem:
time->Fri Jun 17 10:51:56 2011
type=SYSCALL msg=audit(1308325916.570:854): arch=c000003e syscall=18 success=yes exit=8192 a0=b a1=2aaaaaab0200 a2=2000 a3=336e5fa00 items=0 ppid=1 pid=17394 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c291,c554 key=(null)
type=AVC msg=audit(1308325916.570:854): avc:  denied  { sys_resource } for  pid=17394 comm="qemu-kvm" capability=24 scontext=system_u:system_r:svirt_t:s0:c291,c554 tcontext=system_u:system_r:svirt_t:s0:c291,c554 tclass=capability


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-312.el5

How reproducible:
always

Steps to Reproduce:
1. clusvcadm -R vm:virtmachine
2.
3.
  
Actual results:
AVC denial

Expected results:
no denial

Additional info:
the machine works even with this denial.
Comment 1 Daniel Walsh 2011-06-17 13:36:04 EDT
sys_resource usually means you are running out of a system resource that a non priv user would not be allowed to add.
Comment 2 Daniel Walsh 2011-06-17 13:36:38 EDT
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Note You need to log in before you can comment on or make changes to this bug.