On 17.11.2020 13:26, Robert Marcano via devel wrote:
User d9k on IRC found the culprit. It is low-memory-monitor. The latest
commit [1] for it tries to not mess with the value with 1 is set, but it
should not mess with it ever.
That's why all user-space "OOM killers" must have the following lines in
their .service files:
DynamicUser=true
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK
ProtectSystem=strict
ProtectHome=true
I think FESCo should create a special policy for such preinstalled by
default daemons. Running them as root is too dangerous.
Earlier, in cooperation with the upstream, we fixed the earlyoom daemon.
It has no root access to the system and can only kill processes using
ambient capabilities.
--
Sincerely,
Vitaly Zaitsev ([email protected])
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
