Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2585: High memory usage when SELinux is enabled/enforced

Authentication Service ,  

12 April,16 at 11:07 AM

Applies to: All versions of Centrify DirectControl on RHEL/CentOS 5.x systems
 
Question:
Centrify's adclient is using a noticeably large amount of memory when SELinux is enabled or enforced. 
This also causes core dump and restarting Centrify temporary fixes the issue.
 
Is there any reason for this?
 
Examples:
root@soa-as-lt1 ~]# lsof /var/centrifydc/daemon2
COMMAND    PID USER   FD   TYPE             DEVICE SIZE     NODE NAME
adclient 19968 root   22u  unix 0xffff81013377bc40      12154652
/var/centrifydc/daemon2
[root@soa-as-lt1 ~]#
 
[root@soa-as-ld2 ~]# lsof /var/centrifydc/daemon2
COMMAND    PID USER   FD   TYPE             DEVICE SIZE     NODE NAME
adclient 18895 root   20u  unix 0xffff81010846ee80      12138095
/var/centrifydc/daemon2
[root@soa-as-ld2 ~]#
 
[root@soa-db-lt1 ~]# lsof /var/centrifydc/daemon2
COMMAND    PID USER   FD   TYPE             DEVICE SIZE     NODE NAME
adclient 19444 root   26u  unix 0xffff8100be1fb940      12148596
/var/centrifydc/daemon2
[root@soa-db-lt1 ~]#
 
Answer:
If SELinux is enabled on Linux, a file's security context needs to be restored after creation/modification. 
libselinux is loaded dynamically to handle SELinux related tasks.
 
matchpathcon is used to get a file's default security context. 
On RHEL5, this function loads security context configurations into memory (by calling matchpathcon_init), and does not free them.
 
When unloading the SELinux library, the memory is not freed. This memory leak is somewhat significant. 
Memory usage increases 20+MB every time a file is changed like the ones below:
 
 /etc/nsswitch.conf
 /etc/centrifydc/uid.ignore
 /etc/pam.d/...
 /etc/krb5.conf
 
This proves to be RHEL's libselinux library problem - specifically in the SELinux module.
 
https://bugzilla.redhat.com/show_bug.cgi?id=658657
 
As a test, customers are advised to disable SElinux. 
Centrify worked around this issue in CDC 5.0.4 and fixed it in the Centrify DirectControl 5.1. 
 
Its not possible to fix this issue on a RHEL 4.x system.
 
Additional links on SELinux provided as a courtesy:
http://www.crypt.gen.nz/selinux/faq.html#GA.6

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7586: High CPU usage after 30 minutes after installing or upgrading to Suite 2016.1 (5.3.1) articleHow to make winbind work with NSS instead of adbindd using Samba4 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleCentrify 16.11 & 16.11 Hotfix 1 Release Notes articleHigh CPU usage after 30 minutes after installing or upgrading to Suite 2016.1 (5.3.1) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-4018: DirectAudit Session logging (scp file stream content) can cause excessive DB usage articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II