Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2585: High memory usage when SELinux is enabled/enforced

Authentication Service ,  

12 April,16 at 11:07 AM

Applies to: All versions of Centrify DirectControl on RHEL/CentOS 5.x systems
 
Question:
Centrify's adclient is using a noticeably large amount of memory when SELinux is enabled or enforced. 
This also causes core dump and restarting Centrify temporary fixes the issue.
 
Is there any reason for this?
 
Examples:
root@soa-as-lt1 ~]# lsof /var/centrifydc/daemon2
COMMAND    PID USER   FD   TYPE             DEVICE SIZE     NODE NAME
adclient 19968 root   22u  unix 0xffff81013377bc40      12154652
/var/centrifydc/daemon2
[root@soa-as-lt1 ~]#
 
[root@soa-as-ld2 ~]# lsof /var/centrifydc/daemon2
COMMAND    PID USER   FD   TYPE             DEVICE SIZE     NODE NAME
adclient 18895 root   20u  unix 0xffff81010846ee80      12138095
/var/centrifydc/daemon2
[root@soa-as-ld2 ~]#
 
[root@soa-db-lt1 ~]# lsof /var/centrifydc/daemon2
COMMAND    PID USER   FD   TYPE             DEVICE SIZE     NODE NAME
adclient 19444 root   26u  unix 0xffff8100be1fb940      12148596
/var/centrifydc/daemon2
[root@soa-db-lt1 ~]#
 
Answer:
If SELinux is enabled on Linux, a file's security context needs to be restored after creation/modification. 
libselinux is loaded dynamically to handle SELinux related tasks.
 
matchpathcon is used to get a file's default security context. 
On RHEL5, this function loads security context configurations into memory (by calling matchpathcon_init), and does not free them.
 
When unloading the SELinux library, the memory is not freed. This memory leak is somewhat significant. 
Memory usage increases 20+MB every time a file is changed like the ones below:
 
 /etc/nsswitch.conf
 /etc/centrifydc/uid.ignore
 /etc/pam.d/...
 /etc/krb5.conf
 
This proves to be RHEL's libselinux library problem - specifically in the SELinux module.
 
https://bugzilla.redhat.com/show_bug.cgi?id=658657
 
As a test, customers are advised to disable SElinux. 
Centrify worked around this issue in CDC 5.0.4 and fixed it in the Centrify DirectControl 5.1. 
 
Its not possible to fix this issue on a RHEL 4.x system.
 
Additional links on SELinux provided as a courtesy:
http://www.crypt.gen.nz/selinux/faq.html#GA.6

Related Articles

 articleKB-7586: High CPU usage after 30 minutes after installing or upgrading to Suite 2016.1 (5.3.1) articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleHow to make winbind work with NSS instead of adbindd using Samba4 articleHigh CPU usage after 30 minutes after installing or upgrading to Suite 2016.1 (5.3.1) articleCentrify 16.11 & 16.11 Hotfix 1 Release Notes article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-4018: DirectAudit Session logging (scp file stream content) can cause excessive DB usage articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II