Bug 1792859
| Summary: | pmlogger SELinux issue | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | pcp | Assignee: | Nathan Scott <nathans> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Kurik <jkurik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.8 | CC: | agerstmayr, jkurik, jsantos, mgoodwin, nathans, patrickm |
| Target Milestone: | rc | Keywords: | Bugfix, Triaged |
| Target Release: | 7.9 | ||
| Hardware: | ppc64le | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pcp-4.3.2-8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 19:24:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 0b70cb89fcc51a9d0b582f04ee1c21134bd4c624
Author: Nathan Scott <nathans>
Date: Thu Feb 20 17:14:07 2020 +1100
selinux: allow pcp_pmlogger_t access to execute setfiles on el7 ppc64le
Resolves Red Hat BZ #1792859
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: pcp security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3869 |
Description of problem: Run of pmlogger triggers a SELinux issue Version-Release number of selected component (if applicable): * How reproducible: * This issue is always reproducible on PPC64LE architecture * It is not reproducible on other supported RHEL-7.x architectures Steps to Reproduce: 1. Install RHEL-7.7 (or the latest build of RHEL-7.8) on PPC64LE architecture 2. Install pcp # yum install -y pcp 3. Start pmlogger service # systemctl start pmlogger Actual results: * An AVC issue is reported type=AVC msg=audit(1579509798.199:106): avc: denied { execute } for pid=9634 comm="pmlogger_daily" name="setfiles" dev="dm-0" ino=34500334 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1579271450.951:117): avc: denied { fowner } for pid=20309 comm="xz" capability=3 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 #============= pcp_pmlogger_t ============== allow pcp_pmlogger_t setfiles_exec_t:file execute; Expected results: * No AVC issues observed Additional info: IMO this is a follow-up (or a re-occurrence) of bz1394199 and bz1697808