Bug 1655813

Summary: SELinux is preventing pmdalinux from unix_read access and 'getattr, associate' accesses
Product: [Fedora] Fedora Reporter: Louis van Dyk <louis>
Component: pcpAssignee: Nathan Scott <nathans>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: brolley, dwalsh, fche, lberk, lvrabec, mgoodwin, mgrepl, nathans, plautrba, scox, suren
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-05 04:56:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output of: ausearch -c 'pmdalinux' --raw none

Description Louis van Dyk 2018-12-04 01:46:08 UTC 
Created attachment 1511160 [details]
Output of:  ausearch -c 'pmdalinux' --raw

Description of problem:

After upgrading from F28 to F29 I am getting hundreds of SEAlerts.  The plugin line shows:

SELinux is preventing pmdalinux from 'getattr, associate' accesses on the shared memory labeled unconfined_service_t
SELinux is preventing pmdalinux from unix_read access on the shared memory labeled unconfined_service_t
SELinux is preventing pmdalinux from 'getattr, associate' accesses on the semaphore labeled initrc_t.
SELinux is preventing pmdalinux from unix_read access on the semaphore labeled initrc_t.

I haven't done anything to setup (or even install) pcp, which runs this pmdalinux.


Version-Release number of selected component (if applicable):
# rpm -q --whatprovides /var/lib/pcp/pmdas/linux/pmdalinux
pcp-4.2.0-1.fc29.x86_64

selinux-policy-3.14.2-42.fc29.noarch


How reproducible:
The error is constantly appearing


Steps to Reproduce:
1.  I guess upgrade from F28 to F29?
2.  Reboot


Actual results:
See attached output of   ausearch -c 'pmdalinux' --raw 

Expected results:
This didn't happen in F28 so it shouldn't happen now.

Additional info:

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:system_r:initrc_t:s0
Target Objects                Unknown [ sem ]
Source                        pmdalinux
Source Path                   pmdalinux
      ... and ...
Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ shm ]
Source                        pmdalinux
Source Path                   pmdalinux
Comment 1 Lukas Vrabec 2018-12-12 15:35:48 UTC 
This should be fixed with my fix in pcp upstream policy. 

https://github.com/wrabcak/pcp/commit/3e6e622a12d6bf80202e2446971ad531f2b4eea1
Comment 2 Louis van Dyk 2018-12-13 23:45:44 UTC 
When will the above mentioned fix be available in the repo?
Comment 3 Lukas Berk 2018-12-17 15:39:29 UTC 
Louis, PCP's next release is slated for Dec 21st, and this change will be included in that release as it ships.
Comment 4 Nathan Scott 2019-03-05 04:56:17 UTC 
This is resolved by a recent PCP update (4.3.1)