Created attachment 280587 [details] build log Merging libvirt-0.9.3-r1 results in a failing test namely 'test-poll'. I'm using hardened-gcc-4.6.1. I see exactly the same error with libvirt-0.9.2 and libvirt-0.9.1.
Created attachment 280589 [details] emerge --info
One more hint for this: I found a lot of resource oversteps for RLIMIT_NOFILE for the libvirt test-suite in /var/log/grsec.log.
hardened team: Any suggestions how to address this?
we need the pax.log and grsec.log
Please upload the pax.log and grsec.log
Created attachment 302333 [details] grsec.log for merge of libvirt-0.9.10 Here the requested grsec.log for libvirt-0.9.10. The pax.log was empty. The test failure is still exactly the same.
hardened: any comments? The user has gotten the feedback you requested.
*** Bug 422617 has been marked as a duplicate of this bug. ***
Created attachment 328648 [details] build.log Same problem with app-emulation/libvirt-0.10.2-r3 grsec messages: Nov 7 14:32:38 x kernel: [933932.840335] grsec: denied resource overstep by requesting 1000000 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/conftest[conftest:16412] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/configure[configure:16411] uid/euid:250/250 gid/egid:250/250 Nov 7 14:32:39 x kernel: [933933.199409] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/conftest[conftest:16434] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/configure[configure:16433] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.075475] grsec: denied resource overstep by requesting 18446744073709551614 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-dup2[test-dup2:4724] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.075487] grsec: denied resource overstep by requesting 10000000 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-dup2[test-dup2:4724] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.075556] grsec: denied resource overstep by requesting 18446744073709551615 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-dup2[test-dup2:4724] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.120746] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.120760] grsec: denied resource overstep by requesting 10000000 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.120772] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.120782] grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024 for /var/tmp/portage/app-emulation/libvirt-0.10.2-r3/work/libvirt-0.10.2/gnulib/tests/test-fcntl[test-fcntl:4739] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:4647] uid/euid:250/250 gid/egid:250/250 Nov 7 14:34:41 x kernel: [934055.120785] grsec: more alerts, logging disabled for 10 seconds
For some background, it appears that the stock hardened/grsec configuration is to limit a process to a hard limit of 1024 opened files. Which is reasonable. grsec is thinking that the processes blocked want (2^32)-1 and (2^64)-2 files opened which exceeds the limit. These numbers are a bit too conspicuous to discount. Granted these are all configure checks and not that actual test-poll process because logging was disabled. So the reality is that hardened needs to let me know how to handle this from a configure side as well.
The problem is still here for libvirt-1.1.0, if it is hard to fix, please disable this test with USE hardened or pax_kernel. All other tests work fine and i would to run them.
(In reply to Nikoli from comment #11) > The problem is still here for libvirt-1.1.0, if it is hard to fix, please > disable this test with USE hardened or pax_kernel. All other tests work fine > and i would to run them. Its not a hard fix. I need more debugging info as I requested and haven't gotten. I don't have any hardened systems setup so I can't get that info myself. If you're volunteering to do it, that'd be great.
I have hardened system with libvirtd install and would like to help. Output of which commands you want to see?
(In reply to Doug Goldstein from comment #10) > For some background, it appears that the stock hardened/grsec configuration > is to limit a process to a hard limit of 1024 opened files. Which is > reasonable. grsec is thinking that the processes blocked want (2^32)-1 and > (2^64)-2 files opened which exceeds the limit. These numbers are a bit too > conspicuous to discount. Granted these are all configure checks and not that > actual test-poll process because logging was disabled. So the reality is > that hardened needs to let me know how to handle this from a configure side > as well. I just retested this with libvirt-1.2.0 and the situation seems to be unchanged. I'm unsure as to what to do now (as in I don't understand what you request).
I will close as obsolete. If the problem persists with current 2.1.0-r2, please reopen.