1256125 – SELinux is preventing /usr/bin/pmlogger from 'open' accesses on the file /var/lib/pcp/config/pmlogger/config.default.

Bug 1256125 - SELinux is preventing /usr/bin/pmlogger from 'open' accesses on the file /var/lib/pcp/config/pmlogger/config.default.

Summary: SELinux is preventing /usr/bin/pmlogger from 'open' accesses on the file /var...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pcp
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nathan Scott
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:ce682194be3ac878abb41cd0aed...
Duplicates (1):	1284153 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-24 02:58 UTC by Kazuo Moriwaka
Modified:	2016-04-06 14:55 UTC (History)
CC List:	14 users (show)
Fixed In Version:	pcp-3.10.9-1.fc23 pcp-3.10.9-1.fc22 pcp-3.11.1-1.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-06 14:55:47 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kazuo Moriwaka 2015-08-24 02:58:04 UTC

Description of problem:
SELinux is preventing /usr/bin/pmlogger from 'open' accesses on the file /var/lib/pcp/config/pmlogger/config.default.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmlogger should be allowed open access on the config.default file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /var/lib/pcp/config/pmlogger/config.default [ file
                              ]
Source                        pmlogger
Source Path                   /usr/bin/pmlogger
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pcp-3.10.6-1.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.8.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.4-200.fc22.x86_64 #1 SMP Tue
                              Aug 4 03:22:33 UTC 2015 x86_64 x86_64
Alert Count                   159
First Seen                    2015-08-17 10:25:04 JST
Last Seen                     2015-08-24 11:55:05 JST
Local ID                      cd7bc718-fad4-4b06-8050-a8ebab4bb045

Raw Audit Messages
type=AVC msg=audit(1440384905.21:4888): avc:  denied  { open } for  pid=31681 comm="pmlogger" path="/var/lib/pcp/config/pmlogger/config.default" dev="dm-2" ino=921095 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1440384905.21:4888): arch=x86_64 syscall=open success=no exit=EACCES a0=55d3ce539010 a1=0 a2=1b6 a3=7fba74714280 items=0 ppid=27515 pid=31681 auid=985 uid=985 gid=974 euid=985 suid=985 fsuid=985 egid=974 sgid=974 fsgid=974 tty=(none) ses=334 comm=pmlogger exe=/usr/bin/pmlogger subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

Hash: pmlogger,pcp_pmlogger_t,tmp_t,file,open

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.4-200.fc22.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2015-08-27 17:06:28 UTC

Did you move /var/lib/pcp/config/pmlogger/config.default for /tmp?

# restorecon -R -v /var/lib/pcp/

will fix labeling. If you get it by default, please reopen the bug.

Comment 2 Kazuo Moriwaka 2015-08-28 03:01:02 UTC

I didn't touch or move /var/lib/pcp/config/pmlogger/config.default.  
I doubt some tools creates this configuration file on /tmp or /var/tmp.

I found default PCP_TMPFILE_DIR is /var/tmp.  
$ grep TMP /etc/pcp.conf
PCP_TMP_DIR=/var/lib/pcp/tmp
PCP_TMPFILE_DIR=/var/tmp

Comment 3 Lukas Vrabec 2015-11-23 14:25:13 UTC

Do you know which process creating this file?

Comment 4 Kazuo Moriwaka 2015-11-24 01:41:15 UTC

The file has header lines as following.  This seems be created by pmlogconf.

----------------------------------------
#pmlogconf 2.0
#
# pmlogger(1) config file created and updated by pmlogconf
# Auto-generated by pmlogconf on:  Mon Oct 20 18:14:10 JST 2014
#
----------------------------------------

Comment 5 Lukas Vrabec 2015-11-24 11:50:15 UTC

Guys from pcp, 
How is '/var/lib/pcp/config/pmlogger/config.default' file is created? SELinux context of this file need to be fixed by restorecon after moving from /tmp.

Comment 6 Lukas Berk 2015-11-24 15:28:44 UTC

config.default is created by the pmlogconf script during the pmlogger service startup.

The default subset of metrics that we log can change based on platform, hardware, and available/enabled pmdas.  So it's not possible to do so ahead of time (for example, at build time).

Comment 7 Nathan Scott 2015-12-14 06:40:07 UTC

Fixed upstream, will be in pcp-3.10.9 (upstream release and Fedora update expected to be done this week).

Comment 8 Nathan Scott 2015-12-14 06:53:10 UTC

*** Bug 1284153 has been marked as a duplicate of this bug. ***

Comment 9 Fedora Update System 2015-12-17 01:55:00 UTC

pcp-3.10.9-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-d08245c076

Comment 10 Fedora Update System 2015-12-17 01:55:40 UTC

pcp-3.10.9-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-2b40815137

Comment 11 Fedora Update System 2015-12-17 02:18:26 UTC

pcp-3.10.9-1.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2ac90519bc

Comment 12 Fedora Update System 2015-12-17 10:26:52 UTC

pcp-3.10.9-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pcp'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-2b40815137

Comment 13 Fedora Update System 2015-12-17 10:27:10 UTC

pcp-3.10.9-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update pcp'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-d08245c076

Comment 14 Fedora Update System 2015-12-17 12:49:17 UTC

pcp-3.10.9-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update pcp'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2ac90519bc

Comment 15 Fedora Update System 2016-01-05 21:58:07 UTC

pcp-3.10.9-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-01-05 22:54:44 UTC

pcp-3.10.9-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2016-02-03 03:57:06 UTC

pcp-3.11.0-1.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-57b7efb2d7

Comment 18 Fedora Update System 2016-02-03 22:17:42 UTC

pcp-3.11.0-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-57b7efb2d7

Comment 19 Fedora Update System 2016-03-22 00:17:59 UTC

pcp-3.11.1-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-5b519318e0

Comment 20 Fedora Update System 2016-04-06 14:54:12 UTC

pcp-3.11.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.