Re: Centos 7 lockup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 08/21/2014 02:09 PM, Les Mikesell wrote:
> On Thu, Aug 21, 2014 at 12:23 PM,  <m.roth@xxxxxxxxx> wrote:
>> Les Mikesell wrote:
>>> A machine I set up to run OpenNMS stopped working last night - no
>>> hardware alarm lights, but keyboard/monitor/network unresponsive.
>>> After a reboot I see a large stack of messages like this in
>>> /var/log/messages:
>>>
>>> ----
>>> Aug 20 14:02:34 opennms-h-03 python: SELinux is preventing
>>> /usr/sbin/monitor-get-edid-using-vbe from mmap
>>> _zero access on the memprotect .
>>> ------
>>> and then this final message
>>>
>>> Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute
>>> 'split'
>>>
>>>
>>> Do either of those look fatal?   And where else should I look for the
>>> underlying problem?
>>>
>> Looks like all selinux to me, esp. the wording. Is it in enforcing mode? I
>> wonder if it's possible that there's a bug in an selinux policy that
>> results in "IT'S NOT SAFE!!! SHUT IT DOWN!!!".
> /var/log/audit/audit.log says:
> type=AVC msg=audit(1408478520.792:7016): avc:  denied  { mmap_zero }
> for  pid=17977 comm="monitor-get-edi"
> scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
> tclass=memprotect
>
> which isn't particularly readable but I would guess means that it
> blocked the ocsinventory-agent from getting the monitor type.  Not
> sure why that is supposed to be helpful, but it also doesn't sound
> fatal.  And somewhat irrelevant on a normally headless server.
>
> Does that dbus error looks serious?
> Aug 20 14:02:42 opennms-h-03 dbus-daemon: 'list' object has no attribute 'split'
>
>  --
>    Les Mikesell
>      lesmikesell@xxxxxxxxx
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
mmap_zero is a fairly dangerous access. It means the object is
attempting to memeory map
low memory in the kernel.  Bugs in the kernel have been known to allow
priv escallation, can be prevented by this check.

http://eparis.livejournal.com/

Talks about the access check.

I usually tell people to avoid these apps, but if you need to run it,
you can turn the protection off as the alert told you.

setsebool -P mmap_low_allowed 1



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux