Bug 872729 - Applications randomly need access to /proc/sys/vm/overcommit_memory
Summary: Applications randomly need access to /proc/sys/vm/overcommit_memory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-02 20:24 UTC by Eric Paris
Modified: 2013-04-19 05:52 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-19 05:52:00 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Eric Paris 2012-11-02 20:24:33 UTC 
On a box with all F18 packages except glibc-2.16.90-25.fc19.x86_64 we see applications randomly needing access to /proc/sys/vm/overcommit_memory  This is almost certainly a result of commit 9fab36eb

The SELinux team is trying to understand who we need to start giving access to this file as it is generating denials across the system.  Why do applications need to open this file?  What is the risk of letting applications have access to this file?
Comment 1 Siddhesh Poyarekar 2012-11-03 01:55:16 UTC 
(In reply to comment #0)
> On a box with all F18 packages except glibc-2.16.90-25.fc19.x86_64 we see
> applications randomly needing access to /proc/sys/vm/overcommit_memory  This
> is almost certainly a result of commit 9fab36eb

Yes it is.

> The SELinux team is trying to understand who we need to start giving access
> to this file as it is generating denials across the system.  Why do
> applications need to open this file?

glibc uses the value to see if overcommit is disabled and if it is, modify its malloc behaviour.  This helps reduce the vm footprint of multithreaded processes when overcommit is disabled.

> What is the risk of letting applications have access to this file?

The file seems to be marked as sysctl_vm_t and the selinux-policy seems to have a default policy to completely deny access to all applications for such files, so this question should be directed to the authors/maintainers of selinux-policy.  I don't see the risk in allowing read access to overcommit_memory or for that matter any sysctl.
Comment 2 Daniel Walsh 2012-11-05 19:49:46 UTC 
Fixed in selinux-policy-3.11.1-50.fc18.noarch
Comment 3 Fedora End Of Life 2013-04-03 20:27:45 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 4 Fedora Update System 2013-04-08 11:40:46 UTC 
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
Comment 5 Fedora Update System 2013-04-08 15:49:03 UTC 
Package selinux-policy-3.12.1-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-04-19 05:52:02 UTC 
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.