setroubleshootd using excessive memory

[Martin Ebourne]

On Sun, 2007-09-02 at 12:54 -0400, John Dennis wrote:
> On Fri, 2007-08-31 at 23:28 +0000, Martin Ebourne wrote:
> > Just noticed a problem with my laptop fully using swap and a major 
> > culprit seems to be setroubleshootd. From top it appeared to be using 
> > excessive vsize:
> 
> Would you do me a favor to help diagnose this and check two things for
> me?

Sure

> 1) Do a wc on /var/lib/setroubleshoot/audit_listener_database.xml
> (you'll need to be root).

  2622   8075 124241 /var/lib/setroubleshoot/audit_listener_database.xml

This file is world readable on mine - should it not be?

-rw-r--r-- 1 root root 122K 2007-09-02 22:21 /var/lib/setroubleshoot/audit_listener_database.xml

> 2) Open the sealert browser and see if you've got any alerts with very
> high counts, or an excessive number of alerts.

32 different alerts. The highest scorers are:

230 of avc: denied { search } for comm="modprobe" dev=dm-0 egid=0 euid=0
exe="/sbin/modprobe" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root"
pid=32248 scontext=user_u:system_r:insmod_t:s0 sgid=0
subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir
tcontext=root:object_r:user_home_dir_t:s0 tty=pts2 uid=0 

40 of avc: denied { search } for comm="sm-notify" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/sm-notify" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="root" pid=32223 scontext=user_u:system_r:rpcd_t:s0 sgid=0
subj=user_u:system_r:rpcd_t:s0 suid=0 tclass=dir
tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=0 

27 of avc: denied { read, write } for comm="pickup" dev=anon_inodefs
egid=0 euid=0 exe="/usr/libexec/postfix/pickup" exit=0 fsgid=0 fsuid=0
gid=0 items=0 name="[eventpoll]" path="anon_inode:[eventpoll]" pid=19768
scontext=system_u:system_r:postfix_pickup_t:s0 sgid=0
subj=system_u:system_r:postfix_pickup_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0 

The rest are single digits.

Cheers,

Martin.