Bug 1483320
Summary: | SELinux is preventing logger from read access on the lnk_file log | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Terry Bowling <tbowling> |
Component: | pcp | Assignee: | Lukas Berk <lberk> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 26 | CC: | brolley, fche, lberk, mgoodwin, nathans, pcp |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pcp-3.12.2-1.fc26 pcp-3.12.2-1.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-09 22:23:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Terry Bowling
2017-08-20 12:21:33 UTC
Similar related messages SELinux is preventing pmcd from getattr access on the file /var/lib/pcp/pmns/root. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed getattr access on the root file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:pcp_var_lib_t:s0 Target Objects /var/lib/pcp/pmns/root [ file ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID 85140039-7264-4084-a808-8aa07508be57 Raw Audit Messages type=AVC msg=audit(1503231116.228:160): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/lib/pcp/pmns/root" dev="dm-1" ino=528105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0 Hash: pmcd,init_t,pcp_var_lib_t,file,getattr SELinux is preventing pmcd from getattr access on the file /var/lib/pcp/pmns/root. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed getattr access on the root file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:pcp_var_lib_t:s0 Target Objects /var/lib/pcp/pmns/root [ file ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID 85140039-7264-4084-a808-8aa07508be57 Raw Audit Messages type=AVC msg=audit(1503231116.228:160): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/lib/pcp/pmns/root" dev="dm-1" ino=528105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0 Hash: pmcd,init_t,pcp_var_lib_t,file,getattr SELinux is preventing pmcd from getattr access on the file /var/log/pcp/pmcd/linux.log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed getattr access on the linux.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:pcp_log_t:s0 Target Objects /var/log/pcp/pmcd/linux.log [ file ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 30 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID 43707352-6ec5-4905-92e7-c3dc3b44affd Raw Audit Messages type=AVC msg=audit(1503231116.247:168): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/log/pcp/pmcd/linux.log" dev="dm-1" ino=525838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=file permissive=0 Hash: pmcd,init_t,pcp_log_t,file,getattr SELinux is preventing pmcd from read access on the directory /var/log/pcp/pmcd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed read access on the pmcd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:pcp_log_t:s0 Target Objects /var/log/pcp/pmcd [ dir ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages pcp-3.11.10-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 10 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID db6b609b-bc1b-4886-b6e1-d80bfa671936 Raw Audit Messages type=AVC msg=audit(1503231116.247:169): avc: denied { read } for pid=1443 comm="pmcd" name="pmcd" dev="dm-1" ino=528316 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=dir permissive=0 Hash: pmcd,init_t,pcp_log_t,dir,read SELinux is preventing pmcd from read access on the directory /var/lib/pcp/pmdas. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed read access on the pmdas directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:pcp_var_lib_t:s0 Target Objects /var/lib/pcp/pmdas [ dir ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages pcp-3.11.10-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 15 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID b2c6cd9f-ca5d-458c-91f6-10c91ff889f3 Raw Audit Messages type=AVC msg=audit(1503231116.513:173): avc: denied { read } for pid=1763 comm="pmcd" name="pmdas" dev="dm-1" ino=528225 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 Hash: pmcd,init_t,pcp_var_lib_t,dir,read SELinux is preventing pmlogger_check from execute_no_trans access on the file /usr/bin/pmlogger. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmlogger_check should be allowed execute_no_trans access on the pmlogger file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmlogger_check' --raw | audit2allow -M my-pmloggercheck # semodule -X 300 -i my-pmloggercheck.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0 Target Context system_u:object_r:pcp_pmlogger_exec_t:s0 Target Objects /usr/bin/pmlogger [ file ] Source pmlogger_check Source Path pmlogger_check Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages pcp-3.11.10-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-08-11 11:14:43 EDT Last Seen 2017-08-20 08:12:01 EDT Local ID c7099b4f-07e6-4d4e-9c87-5387d81ddee3 Raw Audit Messages type=AVC msg=audit(1503231121.190:289): avc: denied { execute_no_trans } for pid=6768 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1080417 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0 Hash: pmlogger_check,pcp_pmlogger_t,pcp_pmlogger_exec_t,file,execute_no_trans Thanks for reporting these Terry, 5/6 of these denials are already handled in the upstream policy package. I've added the remaining denial and will be pushing it upstream shortly. I've reached out the selinux folks to see why this might be happening for the remaining denial messages. pcp-3.12.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d09a03d294 pcp-3.12.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3267272d85 pcp-3.12.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d09a03d294 pcp-3.12.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3267272d85 pcp-3.12.2-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. pcp-3.12.2-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |