Bug 1483320
| Summary: | SELinux is preventing logger from read access on the lnk_file log | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Terry Bowling <tbowling> |
| Component: | pcp | Assignee: | Lukas Berk <lberk> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 26 | CC: | brolley, fche, lberk, mgoodwin, nathans, pcp |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pcp-3.12.2-1.fc26 pcp-3.12.2-1.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-09 22:23:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Similar related messages
SELinux is preventing pmcd from getattr access on the file /var/lib/pcp/pmns/root.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmcd should be allowed getattr access on the root file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd
# semodule -X 300 -i my-pmcd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context unconfined_u:object_r:pcp_var_lib_t:s0
Target Objects /var/lib/pcp/pmns/root [ file ]
Source pmcd
Source Path pmcd
Port <Unknown>
Host tbowling.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tbowling.localdomain
Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64
#1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64
Alert Count 5
First Seen 2017-08-11 11:14:38 EDT
Last Seen 2017-08-20 08:11:56 EDT
Local ID 85140039-7264-4084-a808-8aa07508be57
Raw Audit Messages
type=AVC msg=audit(1503231116.228:160): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/lib/pcp/pmns/root" dev="dm-1" ino=528105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0
Hash: pmcd,init_t,pcp_var_lib_t,file,getattr
SELinux is preventing pmcd from getattr access on the file /var/lib/pcp/pmns/root.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmcd should be allowed getattr access on the root file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd
# semodule -X 300 -i my-pmcd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context unconfined_u:object_r:pcp_var_lib_t:s0
Target Objects /var/lib/pcp/pmns/root [ file ]
Source pmcd
Source Path pmcd
Port <Unknown>
Host tbowling.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tbowling.localdomain
Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64
#1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64
Alert Count 5
First Seen 2017-08-11 11:14:38 EDT
Last Seen 2017-08-20 08:11:56 EDT
Local ID 85140039-7264-4084-a808-8aa07508be57
Raw Audit Messages
type=AVC msg=audit(1503231116.228:160): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/lib/pcp/pmns/root" dev="dm-1" ino=528105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0
Hash: pmcd,init_t,pcp_var_lib_t,file,getattr
SELinux is preventing pmcd from getattr access on the file /var/log/pcp/pmcd/linux.log.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmcd should be allowed getattr access on the linux.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd
# semodule -X 300 -i my-pmcd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:pcp_log_t:s0
Target Objects /var/log/pcp/pmcd/linux.log [ file ]
Source pmcd
Source Path pmcd
Port <Unknown>
Host tbowling.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tbowling.localdomain
Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64
#1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64
Alert Count 30
First Seen 2017-08-11 11:14:38 EDT
Last Seen 2017-08-20 08:11:56 EDT
Local ID 43707352-6ec5-4905-92e7-c3dc3b44affd
Raw Audit Messages
type=AVC msg=audit(1503231116.247:168): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/log/pcp/pmcd/linux.log" dev="dm-1" ino=525838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=file permissive=0
Hash: pmcd,init_t,pcp_log_t,file,getattr
SELinux is preventing pmcd from read access on the directory /var/log/pcp/pmcd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmcd should be allowed read access on the pmcd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd
# semodule -X 300 -i my-pmcd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:pcp_log_t:s0
Target Objects /var/log/pcp/pmcd [ dir ]
Source pmcd
Source Path pmcd
Port <Unknown>
Host tbowling.localdomain
Source RPM Packages
Target RPM Packages pcp-3.11.10-1.fc26.x86_64
Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tbowling.localdomain
Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64
#1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64
Alert Count 10
First Seen 2017-08-11 11:14:38 EDT
Last Seen 2017-08-20 08:11:56 EDT
Local ID db6b609b-bc1b-4886-b6e1-d80bfa671936
Raw Audit Messages
type=AVC msg=audit(1503231116.247:169): avc: denied { read } for pid=1443 comm="pmcd" name="pmcd" dev="dm-1" ino=528316 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=dir permissive=0
Hash: pmcd,init_t,pcp_log_t,dir,read
SELinux is preventing pmcd from read access on the directory /var/lib/pcp/pmdas.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmcd should be allowed read access on the pmdas directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd
# semodule -X 300 -i my-pmcd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:pcp_var_lib_t:s0
Target Objects /var/lib/pcp/pmdas [ dir ]
Source pmcd
Source Path pmcd
Port <Unknown>
Host tbowling.localdomain
Source RPM Packages
Target RPM Packages pcp-3.11.10-1.fc26.x86_64
Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tbowling.localdomain
Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64
#1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64
Alert Count 15
First Seen 2017-08-11 11:14:38 EDT
Last Seen 2017-08-20 08:11:56 EDT
Local ID b2c6cd9f-ca5d-458c-91f6-10c91ff889f3
Raw Audit Messages
type=AVC msg=audit(1503231116.513:173): avc: denied { read } for pid=1763 comm="pmcd" name="pmdas" dev="dm-1" ino=528225 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
Hash: pmcd,init_t,pcp_var_lib_t,dir,read
SELinux is preventing pmlogger_check from execute_no_trans access on the file /usr/bin/pmlogger.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmlogger_check should be allowed execute_no_trans access on the pmlogger file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmlogger_check' --raw | audit2allow -M my-pmloggercheck
# semodule -X 300 -i my-pmloggercheck.pp
Additional Information:
Source Context system_u:system_r:pcp_pmlogger_t:s0
Target Context system_u:object_r:pcp_pmlogger_exec_t:s0
Target Objects /usr/bin/pmlogger [ file ]
Source pmlogger_check
Source Path pmlogger_check
Port <Unknown>
Host tbowling.localdomain
Source RPM Packages
Target RPM Packages pcp-3.11.10-1.fc26.x86_64
Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tbowling.localdomain
Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64
#1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64
Alert Count 5
First Seen 2017-08-11 11:14:43 EDT
Last Seen 2017-08-20 08:12:01 EDT
Local ID c7099b4f-07e6-4d4e-9c87-5387d81ddee3
Raw Audit Messages
type=AVC msg=audit(1503231121.190:289): avc: denied { execute_no_trans } for pid=6768 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1080417 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0
Hash: pmlogger_check,pcp_pmlogger_t,pcp_pmlogger_exec_t,file,execute_no_trans
Thanks for reporting these Terry, 5/6 of these denials are already handled in the upstream policy package. I've added the remaining denial and will be pushing it upstream shortly. I've reached out the selinux folks to see why this might be happening for the remaining denial messages. pcp-3.12.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d09a03d294 pcp-3.12.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3267272d85 pcp-3.12.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d09a03d294 pcp-3.12.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3267272d85 pcp-3.12.2-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. pcp-3.12.2-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The setroubleshooter is guiding how to resolve this, but since this is with a default install, we probably should not put the burden of understanding and resolving this on end users as it reduces end user confidence in using both pcp and selinux. SELinux is preventing logger from read access on the lnk_file log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that logger should be allowed read access on the log lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'logger' --raw | audit2allow -M my-logger # semodule -X 300 -i my-logger.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0 Target Context system_u:object_r:devlog_t:s0 Target Objects log [ lnk_file ] Source logger Source Path logger Port Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 10 First Seen 2017-08-11 11:16:43 EDT Last Seen 2017-08-20 08:13:54 EDT Local ID 4920543c-0ab4-4119-aa26-e48930f0cadb Raw Audit Messages type=AVC msg=audit(1503231234.86:337): avc: denied { read } for pid=11626 comm="logger" name="log" dev="devtmpfs" ino=12576 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Hash: logger,pcp_pmlogger_t,devlog_t,lnk_file,read Version-Release number of selected component (if applicable): [tbowling@tbowling ~]$ rpm -qa |grep pcp pcp-pmda-bonding-3.11.10-1.fc26.x86_64 pcp-libs-3.11.10-1.fc26.x86_64 cockpit-pcp-147-1.fc26.x86_64 pcp-3.11.10-1.fc26.x86_64 pcp-import-collectl2pcp-3.11.10-1.fc26.x86_64 pcp-pmda-mysql-3.11.10-1.fc26.x86_64 pcp-pmda-dm-3.11.10-1.fc26.x86_64 pcp-doc-3.11.10-1.fc26.noarch pcp-conf-3.11.10-1.fc26.x86_64 pcp-selinux-3.11.10-1.fc26.x86_64 pcp-pmda-postgresql-3.11.10-1.fc26.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: