Bug 734086 - Cannot allocate memory
Summary: Cannot allocate memory
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: libselinux
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-29 12:27 UTC by Andreas Schwab
Modified: 2013-10-08 20:45 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-08 20:45:12 UTC


Attachments (Terms of Use)

Description Andreas Schwab 2011-08-29 12:27:19 UTC
Updating   : selinux-policy-targeted-3.10.0-21.fc17.noarch             55/168 
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.26:  Cannot allocate memory
load_policy:  Can't load policy:  Cannot allocate memory

Comment 1 Daniel Walsh 2011-08-29 16:18:12 UTC
Was this a low memory system?

Comment 2 Andreas Schwab 2011-08-30 07:08:07 UTC
What is a low memory system?

Comment 3 Daniel Walsh 2011-08-30 09:28:36 UTC
512 MB or less

Comment 4 Andreas Schwab 2011-08-31 09:37:35 UTC
512 mb should be plenty for a VM.

Comment 5 Daniel Walsh 2011-08-31 14:32:36 UTC
Was this during an install or an update?

Comment 6 Andreas Schwab 2011-09-01 07:14:49 UTC
Update.

Comment 7 Daniel Walsh 2011-09-01 14:39:41 UTC
I have no idea.


Does yum reinstall selinux-policy-targeted

Reproduce the error?

Comment 8 Andreas Schwab 2011-09-08 08:50:23 UTC
768mb appears to be enough for now.

Comment 10 Fedora End Of Life 2013-04-03 16:16:24 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 11 jan.jeseter 2013-07-07 20:32:51 UTC
Hello,
I have the same problem in F19:
# setsebool -P httpd_read_user_content 1
SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.29: Cannot allocate memory
/sbin/load_policy: Can't load policy: Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.29: Cannot allocate memory
/sbin/load_policy: Can't load policy: Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
Could not change policy booleans 

What can I do with them?

uname -a
Linux ... 3.9.9-301.fc19.i686.PAE #1 SMP Thu Jul 4 15:25:09 UTC 2013 i686 i686 i386 GNU/Linux

# LC_ALL=C yum reinstall selinux-policy-targeted
Loaded plugins: langpacks, refresh-packagekit
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.12.1-59.fc19 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================================
 Package                                       Arch                         Version                               Repository                     Size
======================================================================================================================================================
Reinstalling:
 selinux-policy-targeted                       noarch                       3.12.1-59.fc19                        updates                       4.0 M

Transaction Summary
======================================================================================================================================================
Reinstall  1 Package

Total download size: 4.0 M
Installed size: 18 M
Is this ok [y/d/N]: y
Downloading packages:
selinux-policy-targeted-3.12.1-59.fc19.noarch.rpm                                                                              | 4.0 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : selinux-policy-targeted-3.12.1-59.fc19.noarch                                                                                      1/1 
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.29:  Cannot allocate memory
load_policy:  Can't load policy:  Cannot allocate memory
  Verifying  : selinux-policy-targeted-3.12.1-59.fc19.noarch                                                                                      1/1 

Installed:
  selinux-policy-targeted.noarch 0:3.12.1-59.fc19                                                                                                     

Complete!
#

Than you for your information
JJ

Comment 12 Daniel Walsh 2013-07-08 19:02:28 UTC
How much memory does your machine have?

Comment 13 jan.jeseter 2013-07-09 14:58:26 UTC
$ free
             total       used       free     shared    buffers     cached
Mem:       4133340    1254584    2878756          0      71972     598536
-/+ buffers/cache:     584076    3549264
Swap:      5713916          0    5713916

Comment 14 jan.jeseter 2013-07-14 16:30:13 UTC
# uname -a
Linux ... 3.9.9-302.fc19.i686.PAE #1 SMP Sat Jul 6 13:52:23 UTC 2013 i686 i686 i386 GNU/Linux

# setsebool -P httpd_read_user_content 1
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.29:  Cannot allocate memory
/sbin/load_policy:  Can't load policy:  Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux:  Could not load policy file /etc/selinux/targeted/policy/policy.29:  Cannot allocate memory
/sbin/load_policy:  Can't load policy:  Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
Could not change policy booleans

Comment 15 Daniel Walsh 2013-07-15 21:27:41 UTC
Anything in dmesg?

Comment 16 Stephen Smalley 2013-07-16 12:49:42 UTC
$ ls -sh /etc/selinux/targeted/policy/policy.29
6.3M /etc/selinux/targeted/policy/policy.29

That's just too big.  You need to stop shipping all policy modules and/or tailor what modules get installed to what software is installed on the system so that policy size tracks install size.  rpm does have better support for policy these days...

Comment 17 Daniel Walsh 2013-07-16 17:30:30 UTC
That is weird, I get

 ls -sh /etc/selinux/targeted/policy/policy.29 
3.2M /etc/selinux/targeted/policy/policy.29

 seinfo 

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            83    Permissions:       253
   Sensitivities:       1    Categories:       1024
   Types:            4176    Attributes:        346
   Users:               9    Roles:              15
   Booleans:          257    Cond. Expr.:       308
   Allow:           84352    Neverallow:          0
   Auditallow:         12    Dontaudit:        7468
   Type_trans:      13513    Type_change:        80
   Type_member:        35    Role allow:         34
   Role_trans:        708    Range_trans:      4690
   Constraints:        97    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             25
   Genfscon:           91    Portcon:           510
   Netifcon:            0    Nodecon:             0
   Permissives:         4    Polcap:              2

Comment 18 Daniel Walsh 2013-07-16 17:31:34 UTC
Of course I am on F20.

Comment 19 Stephen Smalley 2013-07-16 17:35:22 UTC
I am on F19.

$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.12.1-63.fc19.noarch
$ ls -sh /etc/selinux/targeted/policy/policy.29 
6.3M /etc/selinux/targeted/policy/policy.29

Comment 20 Daniel Walsh 2013-07-16 17:40:10 UTC
Might be sandbox policy that is installed but not disabled.

# semodule -d sandbox

# semodule -l | grep sandbox
sandbox	1.0.0	Disabled
sandboxX	1.0.0	

This should be fixed in the latest update of policy.

Comment 21 jan.jeseter 2013-07-16 18:44:57 UTC
Yes, in dmesg I found problem:

out of vmalloc space - use vmalloc=<size> to increase size ...

Then I added vmalloc=256M (default is 128m) to the end kernel cmd line ...
( vi /etc/default/grub ; grub2-mkconfig -o /boot/grub2/grub.cfg )

reboot

and the command:
# setsebool -P httpd_read_user_content 1
is not problem now ...

Thanks for your inspiration ... 

cat /proc/meminfo
MemTotal:        4133340 kB
MemFree:         2873828 kB
Buffers:           75064 kB
Cached:           534480 kB
SwapCached:            0 kB
Active:           617476 kB
Inactive:         504876 kB
Active(anon):     513780 kB
Inactive(anon):    20968 kB
Active(file):     103696 kB
Inactive(file):   483908 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:       3425160 kB
HighFree:        2348220 kB
LowTotal:         708180 kB
LowFree:          525608 kB
SwapTotal:       5713916 kB
SwapFree:        5713916 kB
Dirty:                68 kB
Writeback:             0 kB
AnonPages:        512840 kB
Mapped:           176428 kB
Shmem:             21956 kB
Slab:              65332 kB
SReclaimable:      34228 kB
SUnreclaim:        31104 kB
KernelStack:        2880 kB
PageTables:        12956 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     7780584 kB
Committed_AS:    3112400 kB
VmallocTotal:     262144 kB
VmallocUsed:      112896 kB
VmallocChunk:     127728 kB
HardwareCorrupted:     0 kB
HugePages_Total:       0
HugePages_Free:        0
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB
DirectMap4k:       10232 kB
DirectMap2M:      757760 kB

Comment 22 Miroslav Grepl 2013-07-17 09:09:19 UTC
(In reply to Daniel Walsh from comment #20)
> Might be sandbox policy that is installed but not disabled.
> 
> # semodule -d sandbox
> 
> # semodule -l | grep sandbox
> sandbox	1.0.0	Disabled
> sandboxX	1.0.0	
> 
> This should be fixed in the latest update of policy.

I am trying to figure out what is wrong. I have on my F19


# semodule -l | grep sandbox
sandbox	1.0.0	Disabled
sandboxX	1.0.0	

# ls -sh /etc/selinux/targeted/policy/policy.29 
6.3M /etc/selinux/targeted/policy/policy.29

# seinfo
Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            83    Permissions:       253
   Sensitivities:       1    Categories:       1024
   Types:            4155    Attributes:        345
   Users:               8    Roles:              14
   Booleans:          254    Cond. Expr.:       303
   Allow:           85979    Neverallow:          0
   Auditallow:        132    Dontaudit:        7225
   Type_trans:      14626    Type_change:        74
   Type_member:        33    Role allow:         33
   Role_trans:        703    Range_trans:      4664
   Constraints:        97    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             25
   Genfscon:           91    Portcon:           514
   Netifcon:            0    Nodecon:             0
   Permissives:         0    Polcap:              2

Comment 23 Daniel Walsh 2013-07-17 18:06:23 UTC
Eric any ideas why these are different?

Comment 24 Daniel Walsh 2013-07-17 18:14:27 UTC
semodule -d unconfined

The explosion in size is caused by the file name transition rules.

We need to get these to work with attributes.

Comment 25 Daniel Walsh 2013-07-17 18:17:13 UTC
# semodule -d unconfined
 sesearch -T | wc
  53479  360698 4053309
# semodule -e unconfined
# sesearch -T | wc
 173079 1196592 13388904

Comment 26 Stephen Smalley 2013-07-17 18:48:07 UTC
Why so many file name transition rules?  Only should be required for a security-unaware application that creates two or more files in the same directory that should have different security contexts.  If security-aware, it can specify the security context via setfscreatecon() itself.  If files should have same security context, no need for name-based rules.  If different directories, can use regular transition rules.

Also, someone recently pointed out that filename trans rules aren't supported in optional blocks.  Don't know if that matters.

We don't support attributes for any transition rules presently, not just filename ones.

Comment 27 Miroslav Grepl 2013-07-18 07:14:51 UTC
(In reply to Daniel Walsh from comment #25)
> # semodule -d unconfined
>  sesearch -T | wc
>   53479  360698 4053309
> # semodule -e unconfined
> # sesearch -T | wc
>  173079 1196592 13388904

Yes, you are right. I see the same.

Comment 28 Daniel Walsh 2013-07-18 17:46:46 UTC
We have unconfined domains creating any content causes a transition.  Most of the rules are around /dev, /etc and ~/

This is why we see a huge drop in size when we disable unconfined.pp.

Comment 29 Josh Boyer 2013-09-18 20:22:41 UTC
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs.

Fedora 19 has now been rebased to 3.11.1-200.fc19.  Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you experience different issues, please open a new bug report for those.

Comment 30 Josh Boyer 2013-10-08 17:49:12 UTC
Any update on what is going on here?

Comment 31 Eric Paris 2013-10-08 20:45:12 UTC
I'm going to go ahead an close this bug.  This is not a kernel bug and hopefully the work Dan did to shrink policy has addressed the issue.


Note You need to log in before you can comment on or make changes to this bug.