Bug 1655282
| Summary: | SELinux is preventing pmdalinux from using the 'ipc_owner' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Susi Lehtola <susi.lehtola> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 29 | CC: | dwalsh, jblat23, lvrabec, mgrepl, mszpak, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:41ec6d4b85622791cc5f964d19232272297fb4273ae8066af3395e4bcd6de541;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.14.2-46.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-01-17 02:16:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Also installed is pcp-selinux-4.2.0-1.fc29.x86_64 commit 7b8db99bf6e3163c64754cea624fce74707c1325 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Wed Dec 19 16:27:44 2018 +0100
Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
I observe it also in pcp-4.3.0-2.fc29.x86_64 - the latest version available in koji. @Lukas Do you plan to release the new version anytime soon? I wanted to apply the change locally, but I can't find this commit in https://src.fedoraproject.org/cgit/rpms/pcp.git/ and https://github.com/performancecopilot/pcp . Confirmed here too.
Upgrade from 28 to 29_64 now results in nonstop selinux AVC denial warnings.
SELinux is preventing pmdalinux from using the ipc_owner capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pmdalinux should have the ipc_owner capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp
Additional Information:
Source Context system_u:system_r:pcp_pmcd_t:s0
Target Context system_u:system_r:pcp_pmcd_t:s0
Target Objects Unknown [ capability ]
Source pmdalinux
Source Path pmdalinux
Port <Unknown>
Host jonnyslaptop-localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name jonnyslaptop-localdomain
Platform Linux jonnyslaptop-localdomain
4.19.13-300.fc29.x86_64 #1 SMP Sat Dec 29 22:54:28
UTC 2018 x86_64 x86_64
Alert Count 223
First Seen 2019-01-07 19:26:39 EST
Last Seen 2019-01-07 20:08:00 EST
Local ID 21b0832f-4aa7-4038-8c38-dd48a0ea1a7b
Raw Audit Messages
type=AVC msg=audit(1546909680.8:897): avc: denied { ipc_owner } for pid=1687 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
Hash: pmdalinux,pcp_pmcd_t,pcp_pmcd_t,capability,ipc_owner
Cheers,
Jon
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61 selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61 selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: I upgraded from Fedora 28 to Fedora 29, and started experiencing a huge number of these warnings. SELinux is preventing pmdalinux from using the 'ipc_owner' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should have the ipc_owner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Unknown [ capability ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-42.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.5-300.fc29.x86_64 #1 SMP Tue Nov 27 19:29:23 UTC 2018 x86_64 x86_64 Alert Count 14294 First Seen 2018-12-01 17:37:19 EET Last Seen 2018-12-02 12:51:10 EET Local ID 805b61d1-bf8d-4a41-935b-b974dfcee4be Raw Audit Messages type=AVC msg=audit(1543747870.318:637): avc: denied { ipc_owner } for pid=4897 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 Hash: pmdalinux,pcp_pmcd_t,pcp_pmcd_t,capability,ipc_owner Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.5-300.fc29.x86_64 type: libreport