Description of problem: SELinux is preventing /usr/bin/pmlogger from 'open' accesses on the file /var/lib/pcp/config/pmlogger/config.default. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmlogger should be allowed open access on the config.default file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects /var/lib/pcp/config/pmlogger/config.default [ file ] Source pmlogger Source Path /usr/bin/pmlogger Port <Unknown> Host (removed) Source RPM Packages pcp-3.10.6-1.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.8.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.4-200.fc22.x86_64 #1 SMP Tue Aug 4 03:22:33 UTC 2015 x86_64 x86_64 Alert Count 159 First Seen 2015-08-17 10:25:04 JST Last Seen 2015-08-24 11:55:05 JST Local ID cd7bc718-fad4-4b06-8050-a8ebab4bb045 Raw Audit Messages type=AVC msg=audit(1440384905.21:4888): avc: denied { open } for pid=31681 comm="pmlogger" path="/var/lib/pcp/config/pmlogger/config.default" dev="dm-2" ino=921095 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1440384905.21:4888): arch=x86_64 syscall=open success=no exit=EACCES a0=55d3ce539010 a1=0 a2=1b6 a3=7fba74714280 items=0 ppid=27515 pid=31681 auid=985 uid=985 gid=974 euid=985 suid=985 fsuid=985 egid=974 sgid=974 fsgid=974 tty=(none) ses=334 comm=pmlogger exe=/usr/bin/pmlogger subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null) Hash: pmlogger,pcp_pmlogger_t,tmp_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-128.8.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.4-200.fc22.x86_64 type: libreport
Did you move /var/lib/pcp/config/pmlogger/config.default for /tmp? # restorecon -R -v /var/lib/pcp/ will fix labeling. If you get it by default, please reopen the bug.
I didn't touch or move /var/lib/pcp/config/pmlogger/config.default. I doubt some tools creates this configuration file on /tmp or /var/tmp. I found default PCP_TMPFILE_DIR is /var/tmp. $ grep TMP /etc/pcp.conf PCP_TMP_DIR=/var/lib/pcp/tmp PCP_TMPFILE_DIR=/var/tmp
Do you know which process creating this file?
The file has header lines as following. This seems be created by pmlogconf. ---------------------------------------- #pmlogconf 2.0 # # pmlogger(1) config file created and updated by pmlogconf # Auto-generated by pmlogconf on: Mon Oct 20 18:14:10 JST 2014 # ----------------------------------------
Guys from pcp, How is '/var/lib/pcp/config/pmlogger/config.default' file is created? SELinux context of this file need to be fixed by restorecon after moving from /tmp.
config.default is created by the pmlogconf script during the pmlogger service startup. The default subset of metrics that we log can change based on platform, hardware, and available/enabled pmdas. So it's not possible to do so ahead of time (for example, at build time).
Fixed upstream, will be in pcp-3.10.9 (upstream release and Fedora update expected to be done this week).
*** Bug 1284153 has been marked as a duplicate of this bug. ***
pcp-3.10.9-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-d08245c076
pcp-3.10.9-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-2b40815137
pcp-3.10.9-1.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2ac90519bc
pcp-3.10.9-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update pcp' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-2b40815137
pcp-3.10.9-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update pcp' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-d08245c076
pcp-3.10.9-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'yum --enablerepo=epel-testing update pcp' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2ac90519bc
pcp-3.10.9-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.10.9-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.11.0-1.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-57b7efb2d7
pcp-3.11.0-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-57b7efb2d7
pcp-3.11.1-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-5b519318e0
pcp-3.11.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.