Applies to: All versions of Centrify DirectControl on RHEL/CentOS 5.x systems
Question:
Centrify's adclient is using a noticeably large amount of memory when SELinux is enabled or enforced.
This also causes core dump and restarting Centrify temporary fixes the issue.
Is there any reason for this?
Examples:
root@soa-as-lt1 ~]# lsof /var/centrifydc/daemon2
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
adclient 19968 root 22u unix 0xffff81013377bc40 12154652
/var/centrifydc/daemon2
[root@soa-as-lt1 ~]#
[root@soa-as-ld2 ~]# lsof /var/centrifydc/daemon2
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
adclient 18895 root 20u unix 0xffff81010846ee80 12138095
/var/centrifydc/daemon2
[root@soa-as-ld2 ~]#
[root@soa-db-lt1 ~]# lsof /var/centrifydc/daemon2
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
adclient 19444 root 26u unix 0xffff8100be1fb940 12148596
/var/centrifydc/daemon2
[root@soa-db-lt1 ~]#
Answer:
If SELinux is enabled on Linux, a file's security context needs to be restored after creation/modification.
libselinux is loaded dynamically to handle SELinux related tasks.
matchpathcon is used to get a file's default security context.
On RHEL5, this function loads security context configurations into memory (by calling matchpathcon_init), and does not free them.
When unloading the SELinux library, the memory is not freed. This memory leak is somewhat significant.
Memory usage increases 20+MB every time a file is changed like the ones below:
/etc/nsswitch.conf
/etc/centrifydc/uid.ignore
/etc/pam.d/...
/etc/krb5.conf
This proves to be RHEL's libselinux library problem - specifically in the SELinux module.
https://bugzilla.redhat.com/show_bug.cgi?id=658657
As a test, customers are advised to disable SElinux.
Centrify worked around this issue in CDC 5.0.4 and fixed it in the Centrify DirectControl 5.1.
Its not possible to fix this issue on a RHEL 4.x system.
Additional links on SELinux provided as a courtesy:
http://www.crypt.gen.nz/selinux/faq.html#GA.6