Re: AVCs generated by oom actions....

[Stephen Smalley <sds tycho nsa gov>]

On Wed, 2008-09-03 at 06:40 -0700, Tom London wrote:
> On Wed, Sep 3, 2008 at 4:09 AM, James Morris <jmorris namei org> wrote:
> > On Tue, 2 Sep 2008, Tom London wrote:
> >
> >> I'm having some out-of-memory issues with latest kernels:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=460848
> >>
> >> I've noticed that when this happens, I get audit and AVC spew.
> >>
> >> Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs
> >> for processes that are about to commit suicide.
> >>
> >> I have no idea what is causing these, and whether these are bugs (or
> >> features ;)).
> >>
> >> Any ideas/wisdom welcome!
> >
> > This patch should fix it:
> > http://marc.info/?l=selinux&m=122039060813510&w=2
> >
> > --
> > James Morris
> > <jmorris namei org>
> >
> Thanks.  I am already running (half of) that patch that fixes
> security_context_to_sid_core(), and it indeed seems to fix the random
> oom's.
> 
> However, I was asking about the (corner?) case where the system
> legitimately needed to call the oom-killer.  Do the above AVCs
> ('sys_rawio', 'sys_admin', and 'sys_resource') indicate an issue?
> They did not appear to interfere with the killing of the
> processes......

The oom killer tests for those capabilities on potential target
processes as part of selecting which process to kill (processes that
have those capabilities are less likely to be killed by the oom killer).

We should likely use a special hook for those tests that uses the
_noaudit interfaces to avoid noise in the audit logs, similar to what
was done for vm_enough_memory.

-- 
Stephen Smalley
National Security Agency