Bug 768362 - auditd gets flooded by selinux from qemu-kvm
Summary: auditd gets flooded by selinux from qemu-kvm
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-16 13:05 UTC by lejeczek
Modified: 2012-04-17 11:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-17 11:03:28 UTC
Target Upstream Version:

Attachments (Terms of Use)
avc (17.84 MB, application/octet-stream)
2011-12-16 13:05 UTC, lejeczek 		no flags Details
syscall (894.64 KB, application/octet-stream)
2011-12-16 13:06 UTC, lejeczek 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description lejeczek 2011-12-16 13:05:22 UTC 
Created attachment 547791 [details]
avc

Description of problem:
we run Win7 and XPs as guest, roughly about 15 guests in total on a fairly fast R815 server

I've haven't had a chance to reboot the system to see it helps, I know this strange problem occurred suddenly, yesterday at earliest, before all had been fine.

how to troubleshoot it? help greatly appreciated.

setting SELinux permissive helps

the flood:

Dec 16 12:24:36 whale kernel: __ratelimit: 3447823 callbacks suppressed
Dec 16 12:24:36 whale kernel: audit: audit_backlog=8208 > audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_lost=-1990943771 audit_rate_limit=0 audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_backlog=8208 > audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_lost=-1990943771 audit_rate_limit=0 audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_backlog=8208 > audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_lost=-1990943771 audit_rate_limit=0 audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_lost=-1990943771 audit_rate_limit=0 audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_lost=-1990943771 audit_rate_limit=0 audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_backlog=8208 > audit_backlog_limit=8192
Dec 16 12:24:36 whale kernel: audit: audit_backlog=8208 > audit_backlog_limit=8192
Dec 16 12:24:36 whale auditd[24963]: Audit daemon rotating log files
Dec 16 12:24:38 whale auditd[24963]: Audit daemon rotating log files
Dec 16 12:24:39 whale auditd[24963]: Audit daemon rotating log files
Dec 16 12:24:40 whale auditd[24963]: Audit daemon rotating log files
Dec 16 12:24:41 whale kernel: __ratelimit: 3252244 callbacks suppressed
Dec 16 12:24:41 whale kernel: audit: audit_lost=-1989859686 audit_rate_limit=0 audit_backlog_limit=8192
Dec 16 12:24:41 whale kernel: audit: backlog limit exceeded


Version-Release number of selected component (if applicable):
2.6.32-131.17.1.el6.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 lejeczek 2011-12-16 13:06:39 UTC 
Created attachment 547792 [details]
syscall
Comment 3 lejeczek 2011-12-16 16:16:02 UTC 
why not a bug?
thanks in advance
Comment 4 lejeczek 2011-12-19 13:19:24 UTC 
how to troubleshoot this problem? find a cause?
reboot helped.
Comment 5 Miroslav Grepl 2012-04-17 11:03:28 UTC 
If I understand correctly, it is ok now?
Note You need to log in before you can comment on or make changes to this bug.