Excessive swap usage from setroubleshootd

grob115 · 07-21-2011, 10:25 AM

Just noticed from the "top" command that one of my least heavily used box is swapping excessivly by a program called setroubleshootd. Following is the top section of the "top" command sorted by Swap used for both boxes.

Any idea why this is the case and what can I do about this?
Also tried checking it out to see if there's a "service setroubleshootd restart" but when I checked the status I got the following.

Code:

[root]# service setroubleshootd status
setroubleshootd: unrecognized service

Lightly loaded box with lots of swapping

Code:

Tasks:  85 total,   2 running,  83 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.0%us,  0.0%sy,  0.0%ni, 98.0%id,  1.7%wa,  0.0%hi,  0.3%si,  0.0%st
Mem:   1026880k total,   983528k used,    43352k free,    59604k buffers
Swap:  2064376k total,   355692k used,  1708684k free,   121996k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  SWAP COMMAND
 3319 root      15   0 1202m 665m 5748 S  0.0 66.3  23:29.99 537m setroubleshootd
 3845 root      34  19  253m  14m 2188 S  0.0  1.5   0:34.41 238m yum-updatesd
 3841 gdm       16   0  216m 5300 4236 S  0.0  0.5   0:00.15 211m gdmgreeter
 3822 root      18   0  190m 2208 1568 S  0.0  0.2   0:00.00 187m gdm-binary
 3824 root      15   0  185m 3948 3236 S  0.0  0.4   0:00.11 181m gdm-rh-security
 3725 root      16   0  163m 2532 1920 S  0.0  0.2   0:00.00 161m gdm-binary
 3500 root      18   0  130m 2140 1240 S  0.0  0.2   0:00.00 128m cupsd

Heavily used box with little swapping

Code:

Tasks: 118 total,   4 running, 113 sleeping,   0 stopped,   1 zombie
Cpu(s):  4.7%us,  0.3%sy,  0.0%ni, 94.7%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st
Mem:   2059580k total,  1928356k used,   131224k free,   162032k buffers
Swap:  4095992k total,       12k used,  4095980k free,  1336632k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  SWAP COMMAND
 3842 root      34  19  253m  17m 2196 S  0.0  0.9   0:34.20 235m yum-updatesd
 3284 root      15   0  301m  77m 6004 S  0.0  3.9   2:23.30 223m setroubleshootd
 3840 gdm       16   0  216m  16m 7064 S  0.0  0.8   0:00.43 199m gdmgreeter
 3814 root      18   0  190m 2352 1644 S  0.0  0.1   0:00.00 187m gdm-binary
 3816 root      15   0  185m 4112 3384 S  0.0  0.2   0:02.90 181m gdm-rh-security
 3724 root      15   0  163m 2588 1976 S  0.0  0.1   0:00.00 161m gdm-binary
 3465 root      18   0  141m  14m 1824 S  0.0  0.7   0:00.06 127m cupsd
12799 daemon    18   0  103m 3708  648 S  0.0  0.2   0:00.00 100m httpd
12396 daemon    15   0  112m  13m 3440 S  0.0  0.7   0:00.99  98m httpd
 3556 root      18   0  103m 5260 2208 S  0.0  0.3   0:37.68  98m httpd
11778 daemon    15   0  117m  19m 3144 S  2.3  1.0   0:01.76  98m httpd
12750 daemon    15   0  106m 9096 2860 S  0.0  0.4   0:00.04  97m httpd
12673 daemon    15   0  110m  12m 2876 S  0.0  0.6   0:00.23  97m httpd
12693 daemon    15   0  110m  13m 2876 S  0.0  0.7   0:00.18  97m httpd
12666 daemon    15   0  105m 8132 2888 S  0.0  0.4   0:00.19  97m httpd
12729 daemon    15   0  112m  15m 2968 S  0.0  0.8   0:00.11  97m httpd
12588 daemon    15   0  110m  12m 2984 S  0.0  0.6   0:00.54  97m httpd

(=AA=) · 07-22-2011, 06:58 PM

http://www.linuxquestions.org/questi...memory-634347/

grob115 · 07-30-2011, 06:10 AM

Hello,

Thanks but my CentOS version is 5.5 so doesn't look like it's due to an old setroubleshoot program. However, once I've turned on logging for setroubleshoot, I notice what's going into /var/log/setroubleshoot/setroubleshootd.log is essentially the same stuff that's being logged into /var/log/audit/audit.log with the following repeatedly. It looks like both "ifconfig" and "mii-tool" are trying to repeatedly access the /var/spool/mail area. Has anyone seen this? Why would these two network programs trying to access the mail files?

Code:

type=AVC msg=audit(1312011603.100:338987): avc:  denied  { read } for  pid=32534 comm="ifconfig" path="/var/log/maillog" dev=dm-0 ino=653055 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1312011603.100:338987): avc:  denied  { read } for  pid=32534 comm="ifconfig" path="/var/spool/mail/rpc" dev=dm-0 ino=652501 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=AVC msg=audit(1312011603.100:338987): avc:  denied  { read } for  pid=32534 comm="ifconfig" path="/var/spool" dev=dm-0 ino=652201 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1312011603.100:338987): avc:  denied  { read } for  pid=32534 comm="ifconfig" path="/var/spool/mail/root" dev=dm-0 ino=652995 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=AVC msg=audit(1312011603.100:338987): avc:  denied  { read } for  pid=32534 comm="ifconfig" path="/var/spool/mail" dev=dm-0 ino=652203 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1312011603.100:338987): arch=c000003e syscall=59 success=yes exit=0 a0=7cbee00 a1=7cbf1a0 a2=7cbdb50 a3=8 items=0 ppid=3569 pid=32534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1312011603.102:338988): avc:  denied  { read } for  pid=32535 comm="mii-tool" path="/var/log/maillog" dev=dm-0 ino=653055 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1312011603.102:338988): avc:  denied  { read } for  pid=32535 comm="mii-tool" path="/var/spool/mail/rpc" dev=dm-0 ino=652501 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=AVC msg=audit(1312011603.102:338988): avc:  denied  { read } for  pid=32535 comm="mii-tool" path="/var/spool" dev=dm-0 ino=652201 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1312011603.102:338988): avc:  denied  { read } for  pid=32535 comm="mii-tool" path="/var/spool/mail/root" dev=dm-0 ino=652995 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=AVC msg=audit(1312011603.102:338988): avc:  denied  { read } for  pid=32535 comm="mii-tool" path="/var/spool/mail" dev=dm-0 ino=652203 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1312011603.102:338988): arch=c000003e syscall=59 success=yes exit=0 a0=19ebbdd0 a1=19ebc0b0 a2=19ebab50 a3=8 items=0 ppid=3569 pid=32535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mii-tool" exe="/sbin/mii-tool" subj=system_u:system_r:ifconfig_t:s0 key=(null)

(=AA=) · 07-30-2011, 12:14 PM

I suggest you read this extensively: http://wiki.centos.org/HowTos/SELinux

SELinux protects files from processes that shouldn't have access to them amongst other things. The above log just looks like loads of stuff is being denied access to files they might actually need access to. Although I'm not really sure why mii-tool or ifconfig are trying to read the mail spool? Perhaps they're trying to email root user.