Bug 1601721
| Summary: | SELinux is preventing pmdalinux from 'unix_read' accesses on the shared memory Unknown. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | biakymet |
| Component: | pcp | Assignee: | Lukas Berk <lberk> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | devin, dwalsh, edward.lara.lara, fche, lberk, lvrabec, mgoodwin, mgrepl, michel, nathans, pcp-maint, plautrba, scox, th.neuber |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:d51e8b50d28632d6e19a8d2027d56f33cb3d4339d44ef40a4479fd4d48f90c1d;VARIANT_ID=workstation; | ||
| Fixed In Version: | pcp-4.3.0-1.fc29 pcp-4.3.0-2.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-12-24 06:07:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Seeing it on Fedora 29 too (nvidia driver from negativo17 if that's relevant) Hi, Sorry, this seems to have slipped through the cracks, it's been fixed upstream in commit: commit 3e6e622a12d6bf80202e2446971ad531f2b4eea1 Author: Lukas Vrabec <lvrabec> Date: Wed Nov 21 23:28:39 2018 +0100 It'll make it into the next spin of PCP This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. pcp-4.3.0-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3dc05c6d19 pcp-4.3.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3d0256193e pcp-4.3.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3d0256193e pcp-4.3.0-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3dc05c6d19 pcp-4.3.0-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. Hello,
I just upgraded to Fedora 29 and I am seeing a lot of these AVC denials for pcp. I have these packages:
pcp-4.3.0-1.fc29.x86_64
selinux-policy-3.14.2-44.fc29.noarch
Thank you
here are a couple of the reports:
SELinux is preventing pmdalinux from 'unix_read' accesses on the semaphore labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmdalinux should be allowed unix_read access on sem labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp
Additional Information:
Source Context system_u:system_r:pcp_pmcd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ sem ]
Source pmdalinux
Source Path pmdalinux
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon
Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count 208
First Seen 2018-12-25 18:42:50 EST
Last Seen 2018-12-25 19:01:02 EST
Local ID 950734ae-231c-40fc-8674-532bbec5f910
Raw Audit Messages
type=AVC msg=audit(1545782462.243:6563): avc: denied { unix_read } for pid=44827 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=sem permissive=0
Hash: pmdalinux,pcp_pmcd_t,httpd_t,sem,unix_read
====
SELinux is preventing pmdalinux from 'read' accesses on the file /usr/sbin/mdadm.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmdalinux should be allowed read access on the mdadm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp
Additional Information:
Source Context system_u:system_r:pcp_pmcd_t:s0
Target Context system_u:object_r:mdadm_exec_t:s0
Target Objects /usr/sbin/mdadm [ file ]
Source pmdalinux
Source Path pmdalinux
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages mdadm-4.1-rc2.0.2.fc29.x86_64
Policy RPM selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon
Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count 78
First Seen 2018-12-25 18:42:50 EST
Last Seen 2018-12-25 19:01:02 EST
Local ID 92818fff-5715-4c2d-b692-7e8caa27d7fc
Raw Audit Messages
type=AVC msg=audit(1545782462.243:6566): avc: denied { read } for pid=44827 comm="pmdalinux" name="mdadm" dev="dm-1" ino=115293 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0
Hash: pmdalinux,pcp_pmcd_t,mdadm_exec_t,file,read
===
SELinux is preventing pmdalinux from 'search' accesses on the directory /proc/fs/nfsd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmdalinux should be allowed search access on the nfsd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp
Additional Information:
Source Context system_u:system_r:pcp_pmcd_t:s0
Target Context system_u:object_r:nfsd_fs_t:s0
Target Objects /proc/fs/nfsd [ dir ]
Source pmdalinux
Source Path pmdalinux
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon
Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count 71
First Seen 2018-12-25 18:42:50 EST
Last Seen 2018-12-25 19:02:02 EST
Local ID cb85b1a0-56e3-4c8f-a4a0-bd524ae6f8bb
Raw Audit Messages
type=AVC msg=audit(1545782522.264:6612): avc: denied { search } for pid=44827 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0
Hash: pmdalinux,pcp_pmcd_t,nfsd_fs_t,dir,search
pcp-4.3.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0913e3af78 pcp-4.3.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0913e3af78 pcp-4.3.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Hi Eduardo, (In reply to Eduardo from comment #9) > I just upgraded to Fedora 29 and I am seeing a lot of these AVC denials for > pcp. I have these packages: > pcp-4.3.0-1.fc29.x86_64 > selinux-policy-3.14.2-44.fc29.noarch Sorry to hear that, thanks for reporting it (because the original bug was fixed upstream, the fedora update system will continue to marked this as closed because the bug is filed in errata). > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that pmdalinux should be allowed unix_read access on sem > labeled httpd_t by default. [...] > Raw Audit Messages > type=AVC msg=audit(1545782462.243:6563): avc: denied { unix_read } for > pid=44827 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 > tcontext=system_u:system_r:httpd_t:s0 tclass=sem permissive=0 [...] > SELinux is preventing pmdalinux from 'read' accesses on the file > /usr/sbin/mdadm. [...] > Raw Audit Messages > type=AVC msg=audit(1545782462.243:6566): avc: denied { read } for > pid=44827 comm="pmdalinux" name="mdadm" dev="dm-1" ino=115293 > scontext=system_u:system_r:pcp_pmcd_t:s0 > tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0 [...] > SELinux is preventing pmdalinux from 'search' accesses on the directory > /proc/fs/nfsd. [...] > Raw Audit Messages > type=AVC msg=audit(1545782522.264:6612): avc: denied { search } for > pid=44827 comm="pmdalinux" name="/" dev="nfsd" ino=1 > scontext=system_u:system_r:pcp_pmcd_t:s0 > tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0 I'm not able to reproduce a single one of these AVC's. Each is marked as 'would be allowed by active policy' by audit2allow. What version of pcp-selinux do you have installed? $ rpm -q pcp-selinux Is the upstream pcp policy active? $ sudo semodule --list=full | grep pcpupstream Thanks Hi Lukas, After the pcp-4.3.0-2.fc28 update the issue is gone. Thank you for following up, Eduardo |
Description of problem: Install new updates. Restart computer. It start happen. SELinux is preventing pmdalinux from 'unix_read' accesses on the shared memory Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should be allowed unix_read access on the Unknown shm by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:iscsid_t:s0 Target Objects Unknown [ shm ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.35.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.17.5-100.fc27.x86_64 #1 SMP Mon Jul 9 19:04:45 UTC 2018 x86_64 x86_64 Alert Count 30 First Seen 2018-07-17 07:38:37 CEST Last Seen 2018-07-17 07:44:37 CEST Local ID 1d27b896-36b4-401f-8201-98a82a657a69 Raw Audit Messages type=AVC msg=audit(1531806277.341:312): avc: denied { unix_read } for pid=2349 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=shm permissive=0 Hash: pmdalinux,pcp_pmcd_t,iscsid_t,shm,unix_read Version-Release number of selected component: selinux-policy-3.13.1-283.35.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.17.5-100.fc27.x86_64 type: libreport