I'm having some out-of-memory issues with latest kernels: https://bugzilla.redhat.com/show_bug.cgi?id=460848 I've noticed that when this happens, I get audit and AVC spew. Appears that I get 'sys_rawio', 'sys_admin', and 'sys_resource' AVCs for processes that are about to commit suicide. I have no idea what is causing these, and whether these are bugs (or features ;)). Any ideas/wisdom welcome! tom [root@tlondon ~]# audit2allow -i oom-audit.txt #============= NetworkManager_t ============== allow NetworkManager_t self:capability { sys_rawio sys_admin sys_resource }; #============= audisp_t ============== allow audisp_t self:capability { sys_rawio sys_admin sys_resource }; #============= auditd_t ============== allow auditd_t self:capability { sys_rawio sys_admin }; #============= bluetooth_t ============== allow bluetooth_t self:capability { sys_rawio sys_admin sys_resource }; #============= consolekit_t ============== allow consolekit_t self:capability { sys_rawio sys_admin sys_resource }; #============= dhcpc_t ============== allow dhcpc_t self:capability { sys_rawio sys_admin }; #============= getty_t ============== allow getty_t self:capability sys_rawio; #============= kerneloops_t ============== allow kerneloops_t self:capability { sys_rawio sys_admin sys_resource }; #============= restorecond_t ============== allow restorecond_t self:capability { sys_rawio sys_admin sys_resource }; #============= rpcd_t ============== allow rpcd_t self:capability { sys_rawio sys_admin sys_resource }; #============= sendmail_t ============== allow sendmail_t self:capability { sys_rawio sys_admin sys_resource }; #============= setroubleshootd_t ============== allow setroubleshootd_t self:capability { sys_rawio sys_admin sys_resource }; #============= sshd_t ============== allow sshd_t self:capability { sys_rawio sys_admin }; #============= syslogd_t ============== allow syslogd_t self:capability sys_rawio; #============= unconfined_mono_t ============== allow unconfined_mono_t self:process execstack; #============= xdm_t ============== allow xdm_t self:capability sys_admin; [root@tlondon ~]# -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
