Bug 1714101

Summary: RHEL 7.7 PCP Upgrade issues
Product: Red Hat Enterprise Linux 7 Reporter: Marko Myllynen <myllynen>
Component: pcpAssignee: Nathan Scott <nathans>
Status: CLOSED ERRATA QA Contact: Jan Kurik <jkurik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.7CC: agerstmayr, chorn, cww, jkurik, klaas, lberk, mcermak, mgoodwin, mkolar, mnewsome, nathans, ofalk, patrickm, peter.vreman, phil.randal, pholica, rhayden, sbroz, snejoshi, yuokada
Target Milestone: rcKeywords: PrioBumpGSS, Reopened, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
No Doc Update
 Story Points: ---
Clone Of:
: 1730206 1777676 1781692 1782198 (view as bug list) Environment:
Last Closed: 2020-03-31 19:09:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1122832, 1670353, 1777676, 1781692, 1782198    

Description Marko Myllynen 2019-05-27 06:44:21 UTC 
Description of problem:
Upgrading to latest RHEL 7 PCP package pcp-4.3.2-2.el7 gives several issues.

1) During installation/upgrade of pcp-selinux:

Updating / installing...
   1:pcp-selinux-4.3.2-2.el7          ################################# [100%]
Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/pcpupstream/cil:83
semodule:  Failed!

On dmesg we see these corresponding messages:

[  141.461377] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.493590] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.512245] SELinux:  8 users, 14 roles, 5036 types, 318 bools, 1 sens, 1024 cats
[  141.512248] SELinux:  129 classes, 112449 rules
[  141.515473] SELinux:  Class bpf not defined in policy.
[  141.515474] SELinux: the above unknown classes and permissions will be allowed

2) pmie_check.service is for some reason static unlike other PCP services:

pmie_check.service                            static
pmlogger_check.service                        disabled

Not sure which one is the correct but since everything else is non-static perhaps also change pmie_check.service to be so as well.

3) Stopping PCP services takes few seconds but this is probably still within tolerable range so could be left as is:

# time systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy
systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy  0.02s user 0.04s system 1% cpu 4.329 total

4) There are now tons of PCP SELinux AVCs (I haven't investigated these in detail, many of them are probably fixed in upstream already):

type=AVC msg=audit(1558891535.522:72): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=28939 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tcla
ss=dir permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:74): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute } for  pid=6111 comm="sh" name="ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { read open } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute_no_trans } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { read } for  pid=6057 comm="python" name="libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { open } for  pid=6057 comm="python" path="/etc/libvirt/libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.663:78): avc:  denied  { connectto } for  pid=6057 comm="python" path="/run/libvirt/libvirt-sock-ro" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { read } for  pid=6614 comm="pmproxy" name="disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { open } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:104): avc:  denied  { getattr } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.655:108): avc:  denied  { read } for  pid=6663 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { read } for  pid=6785 comm="runlevel" name="utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { open } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:110): avc:  denied  { lock } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:111): avc:  denied  { execute } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:112): avc:  denied  { read } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { open } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { execute_no_trans } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.872:114): avc:  denied  { read } for  pid=7286 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.100:116): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:118): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:123): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:125): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891544.699:126): avc:  denied  { read } for  pid=21608 comm="pmlogger" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:127): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:129): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891583.480:170): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=37944 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1558891583.481:171): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=9211 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1558891583.481:172): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.112:173): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:175): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.572:188): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:190): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891605.092:192): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1

Version-Release number of selected component (if applicable):
pcp-4.3.2-2.el7
Comment 6 Nathan Scott 2019-06-04 00:44:56 UTC 
I believe a PCP rebuild adding dependencies matching latest 7.7 selinux policy should resolve this.
Comment 18 Nathan Scott 2019-06-27 07:21:56 UTC 
*** Bug 1724074 has been marked as a duplicate of this bug. ***
Comment 19 Klaas Demter 2019-08-07 09:10:31 UTC 
This is creating an error message during every rhel 7.7 update where pcp is installed.
Comment 20 Phil Randal 2019-08-07 12:21:24 UTC 
Before attempting to update to 7.7

yum update selinux-policy

If the update's on a schedule, and you couldn't intervene in time,

yum reinstall pcp-selinux

after the update to 7.7 should fix it
Comment 41 errata-xmlrpc 2020-03-31 19:09:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0994