[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

AVCs generated by oom actions....

I'm having some out-of-memory issues with latest kernels:
https://bugzilla.redhat.com/show_bug.cgi?id=460848

I've noticed that when this happens, I get audit and AVC spew.

Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
for processes that are about to commit suicide.

I have no idea what is causing these, and whether these are bugs (or
features ;)).

Any ideas/wisdom welcome!

tom

[root tlondon ~]# audit2allow -i oom-audit.txt


#============= NetworkManager_t ==============
allow NetworkManager_t self:capability { sys_rawio sys_admin sys_resource };

#============= audisp_t ==============
allow audisp_t self:capability { sys_rawio sys_admin sys_resource };

#============= auditd_t ==============
allow auditd_t self:capability { sys_rawio sys_admin };

#============= bluetooth_t ==============
allow bluetooth_t self:capability { sys_rawio sys_admin sys_resource };

#============= consolekit_t ==============
allow consolekit_t self:capability { sys_rawio sys_admin sys_resource };

#============= dhcpc_t ==============
allow dhcpc_t self:capability { sys_rawio sys_admin };

#============= getty_t ==============
allow getty_t self:capability sys_rawio;

#============= kerneloops_t ==============
allow kerneloops_t self:capability { sys_rawio sys_admin sys_resource };

#============= restorecond_t ==============
allow restorecond_t self:capability { sys_rawio sys_admin sys_resource };

#============= rpcd_t ==============
allow rpcd_t self:capability { sys_rawio sys_admin sys_resource };

#============= sendmail_t ==============
allow sendmail_t self:capability { sys_rawio sys_admin sys_resource };

#============= setroubleshootd_t ==============
allow setroubleshootd_t self:capability { sys_rawio sys_admin sys_resource };

#============= sshd_t ==============
allow sshd_t self:capability { sys_rawio sys_admin };

#============= syslogd_t ==============
allow syslogd_t self:capability sys_rawio;

#============= unconfined_mono_t ==============
allow unconfined_mono_t self:process execstack;

#============= xdm_t ==============
allow xdm_t self:capability sys_admin;
[root tlondon ~]#

-- 
Tom London
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]