Please backport this fix. The RHEL7.2 selinux output is as follows:
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmlogger should be allowed create access on the
pmlogger.primary.socket lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_run_t:s0
Target Objects pmlogger.primary.socket [ lnk_file ]
Source pmlogger
Source Path /usr/bin/pmlogger
Port <Unknown>
Host bordewijk
Source RPM Packages pcp-3.10.6-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name bordewijk
Platform Linux bordewijk 3.10.0-327.el7.x86_64 #1
SMP Thu
Oct 29 17:29:29 EDT 2015 x86_64 x86_64
Alert Count 7
First Seen 2015-11-20 00:10:11 CET
Last Seen 2015-11-26 00:10:11 CET
Local ID c9cba06f-900a-48df-bd9c-b575df017cd9
Raw Audit Messages
type=AVC msg=audit(1448493011.603:9249): avc: denied { create } for
pid=15563 comm="pmlogger" name="pmlogger.primary.socket"
scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1448493011.603:9249): arch=x86_64 syscall=symlink
success=no exit=EACCES a0=7fe58db2ab90 a1=7ffce6bd7300 a2=1000 a3=c
items=0 ppid=15327 pid=15563 auid=992 uid=992 gid=990 euid=992 suid=992
fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=1179 comm=pmlogger
exe=/usr/bin/pmlogger
subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)
Hash: pmlogger,pcp_pmlogger_t,var_run_t,lnk_file,create
+++ This bug was initially created as a clone of Bug #1254080 +++
Description of problem:
SELinux is preventing pmlogger from 'create' accesses on the lnk_file pmlogger.primary.socket.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmlogger should be allowed create access on the pmlogger.primary.socket lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_run_t:s0
Target Objects pmlogger.primary.socket [ lnk_file ]
Source pmlogger
Source Path pmlogger
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.1.5-200.fc22.x86_64 #1 SMP Mon
Aug 10 23:38:23 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-08-17 02:55:10 ART
Last Seen 2015-08-17 02:55:10 ART
Local ID 0c7ddc98-fe63-42a9-8a07-483ef97e33d9
Raw Audit Messages
type=AVC msg=audit(1439790910.97:2554): avc: denied { create } for pid=15915 comm="pmlogger" name="pmlogger.primary.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file permissive=0
Hash: pmlogger,pcp_pmlogger_t,var_run_t,lnk_file,create
Version-Release number of selected component:
selinux-policy-3.13.1-128.10.fc22.noarch
Additional info:
reporter: libreport-2.6.2
hashmarkername: setroubleshoot
kernel: 4.1.5-200.fc22.x86_64
type: libreport
--- Additional comment from Lukas Vrabec on 2015-08-23 12:26:58 EDT ---
commit 677cb44a9f4c9a5deb292cb5c6893e2425737cec
Author: Lukas Vrabec <lvrabec>
Date: Sun Aug 23 00:18:37 2015 +0200
Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)
--- Additional comment from Fedora Update System on 2015-08-24 07:45:57 EDT ---
selinux-policy-3.13.1-128.12.fc22 has been submitted as an update to Fedora 22. https://bugzilla.redhat.com/show_bug.cgi?id=1254080
--- Additional comment from Fedora Update System on 2015-08-24 17:54:39 EDT ---
selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14076
--- Additional comment from Fedora Update System on 2015-08-27 14:23:05 EDT ---
selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2283.html
Please backport this fix. The RHEL7.2 selinux output is as follows: ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmlogger should be allowed create access on the pmlogger.primary.socket lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects pmlogger.primary.socket [ lnk_file ] Source pmlogger Source Path /usr/bin/pmlogger Port <Unknown> Host bordewijk Source RPM Packages pcp-3.10.6-2.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name bordewijk Platform Linux bordewijk 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 Alert Count 7 First Seen 2015-11-20 00:10:11 CET Last Seen 2015-11-26 00:10:11 CET Local ID c9cba06f-900a-48df-bd9c-b575df017cd9 Raw Audit Messages type=AVC msg=audit(1448493011.603:9249): avc: denied { create } for pid=15563 comm="pmlogger" name="pmlogger.primary.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1448493011.603:9249): arch=x86_64 syscall=symlink success=no exit=EACCES a0=7fe58db2ab90 a1=7ffce6bd7300 a2=1000 a3=c items=0 ppid=15327 pid=15563 auid=992 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=1179 comm=pmlogger exe=/usr/bin/pmlogger subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null) Hash: pmlogger,pcp_pmlogger_t,var_run_t,lnk_file,create +++ This bug was initially created as a clone of Bug #1254080 +++ Description of problem: SELinux is preventing pmlogger from 'create' accesses on the lnk_file pmlogger.primary.socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmlogger should be allowed create access on the pmlogger.primary.socket lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects pmlogger.primary.socket [ lnk_file ] Source pmlogger Source Path pmlogger Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.10.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.5-200.fc22.x86_64 #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-08-17 02:55:10 ART Last Seen 2015-08-17 02:55:10 ART Local ID 0c7ddc98-fe63-42a9-8a07-483ef97e33d9 Raw Audit Messages type=AVC msg=audit(1439790910.97:2554): avc: denied { create } for pid=15915 comm="pmlogger" name="pmlogger.primary.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file permissive=0 Hash: pmlogger,pcp_pmlogger_t,var_run_t,lnk_file,create Version-Release number of selected component: selinux-policy-3.13.1-128.10.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.5-200.fc22.x86_64 type: libreport --- Additional comment from Lukas Vrabec on 2015-08-23 12:26:58 EDT --- commit 677cb44a9f4c9a5deb292cb5c6893e2425737cec Author: Lukas Vrabec <lvrabec> Date: Sun Aug 23 00:18:37 2015 +0200 Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080) --- Additional comment from Fedora Update System on 2015-08-24 07:45:57 EDT --- selinux-policy-3.13.1-128.12.fc22 has been submitted as an update to Fedora 22. https://bugzilla.redhat.com/show_bug.cgi?id=1254080 --- Additional comment from Fedora Update System on 2015-08-24 17:54:39 EDT --- selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14076 --- Additional comment from Fedora Update System on 2015-08-27 14:23:05 EDT --- selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.