Bug 1603596

Summary: The GFS2 PCP PMDA is denied access to debugfs
Product: Red Hat Enterprise Linux 7 Reporter: Andrew Price <anprice>
Component: pcpAssignee: Lukas Berk <lberk>
Status: CLOSED ERRATA QA Contact: Michal Kolar <mkolar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: brolley, fche, gfs2-maint, lberk, lvrabec, mgoodwin, mgrepl, mkolar, mmalik, nathans, pevans, plautrba, ssekidde, swhiteho, tbowling
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 09:40:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Price 2018-07-19 17:18:44 UTC 
[root@qe-c01-m01 ~]# rpm -q selinux-policy pcp-pmda-gfs2
selinux-policy-3.13.1-207.el7.noarch
pcp-pmda-gfs2-4.1.0-2.el7.s390x
[root@qe-c01-m01 ~]# uname -r
3.10.0-924.el7.s390x
[root@qe-c01-m01 ~]# pminfo -f gfs2.glocks.total

gfs2.glocks.total
No value(s) available!
[root@qe-c01-m01 ~]# setenforce permissive
[root@qe-c01-m01 ~]# pminfo -f gfs2.glocks.total

gfs2.glocks.total
    inst [0 or "s390-cluster1:s390-cluster10"] value 130
    inst [1 or "s390-cluster1:s390-cluster11"] value 130
    inst [2 or "s390-cluster1:s390-cluster12"] value 130
[root@qe-c01-m01 ~]# setenforce enforcing
[root@qe-c01-m01 ~]# pminfo -f gfs2.glocks.total

gfs2.glocks.total
No value(s) available!
[root@qe-c01-m01 ~]# aureport -a | tail
47247. 19/07/18 13:00:12 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 5 file open system_u:object_r:debugfs_t:s0 denied 39752
47248. 19/07/18 13:00:25 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 39755
47249. 19/07/18 13:00:35 in:imjournal system_u:system_r:syslogd_t:s0 5 file write system_u:object_r:unlabeled_t:s0 denied 39756
47250. 19/07/18 13:01:01 ? system_u:system_r:init_t:s0 0 (null) (null) (null) unset 39760
47251. 19/07/18 13:01:01 ? system_u:system_r:init_t:s0 0 (null) (null) (null) unset 39761
47252. 19/07/18 13:13:42 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 39774
47253. 19/07/18 13:13:44 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 5 file read system_u:object_r:debugfs_t:s0 denied 39775
47254. 19/07/18 13:13:44 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 5 file open system_u:object_r:debugfs_t:s0 denied 39775
47255. 19/07/18 13:13:44 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 108 file getattr system_u:object_r:debugfs_t:s0 denied 39776
47256. 19/07/18 13:13:50 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 39778
Comment 2 Andrew Price 2018-07-19 17:47:20 UTC 
Paul Evans tells me that this is fixed in upstream pcp, as it has its own policy package, but the patch isn't in RHEL7 yet. Changing component accordingly.
Comment 3 Steve Whitehouse 2018-08-24 12:08:06 UTC 
Hi Lukas, is it possible to get this fixed for 7.6?
Comment 4 Nathan Scott 2018-08-27 22:24:47 UTC 
Hi Steve,

Lukas is on PTO for the next little while, so I'll answer here.  It may be too late in the release cycle for 7.6, but we can certainly try - it's not a problem to backport selinux fixes from an engr POV (very low risk change).  I've set the devel-ack flag, lets see what the PM & QE folk say.

cheers.
Comment 5 Steve Whitehouse 2018-08-28 08:52:29 UTC 
If we cannot fix it (which would be my preferred solution) it will at least need a release note, since it is not useable with selinux without this. I know it is late in the cycle now, but it was picked up as an issue some time ago, and as you mention it should be a low risk change.
Comment 6 Paul Evans 2018-08-28 09:32:12 UTC 
Hi Nathan, Steve,

The fix with the required additional selinux permissions has been merged upstream since 25th July (and was tested against RHEL 7 with SELinux enabled) with the following commit:

5ca37da22a907af28e5f977bf10fa28704bb5f68 - selinux: pmdagfs2 add additional required rule

Cheers,

Paul
Comment 8 Michal Kolar 2018-09-05 09:55:07 UTC 
Patch is successfully applied but reported selinux denials should be covered by
'allow pcp_pmcd_t debugfs_t:file { getattr open read };' rule which is already present in pcp-4.1.0-2.el7.
Comment 9 Paul Evans 2018-09-05 10:11:55 UTC 
Hi Michal, Nathan,

Patch adds both:

'allow pcp_pmcd_t debugfs_t:dir { search };' and
'allow pcp_pmcd_t debugs_t:file { write };'

which are additional to pcp-4.1.0-2.el7.

These extra components to the rules are needed by the PMDA on startup to enable the kernel tracepoints.

Cheers,

Paul
Comment 10 Michal Kolar 2018-09-06 10:54:18 UTC 
Verified against pcp-4.1.0-4.el7. Did not reproduced because of comment 8.
Comment 12 errata-xmlrpc 2018-10-30 09:40:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:3095