On a box with all F18 packages except glibc-2.16.90-25.fc19.x86_64 we see applications randomly needing access to /proc/sys/vm/overcommit_memory This is almost certainly a result of commit 9fab36eb The SELinux team is trying to understand who we need to start giving access to this file as it is generating denials across the system. Why do applications need to open this file? What is the risk of letting applications have access to this file?
(In reply to comment #0) > On a box with all F18 packages except glibc-2.16.90-25.fc19.x86_64 we see > applications randomly needing access to /proc/sys/vm/overcommit_memory This > is almost certainly a result of commit 9fab36eb Yes it is. > The SELinux team is trying to understand who we need to start giving access > to this file as it is generating denials across the system. Why do > applications need to open this file? glibc uses the value to see if overcommit is disabled and if it is, modify its malloc behaviour. This helps reduce the vm footprint of multithreaded processes when overcommit is disabled. > What is the risk of letting applications have access to this file? The file seems to be marked as sysctl_vm_t and the selinux-policy seems to have a default policy to completely deny access to all applications for such files, so this question should be directed to the authors/maintainers of selinux-policy. I don't see the risk in allowing read access to overcommit_memory or for that matter any sysctl.
Fixed in selinux-policy-3.11.1-50.fc18.noarch
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
Package selinux-policy-3.12.1-28.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.