1286234 – SELinux is preventing pmlogger from 'create' accesses on the lnk_file pmlogger.primary.socket.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1286234 - SELinux is preventing pmlogger from 'create' accesses on the lnk_file pmlogger.primary.socket.

Summary: SELinux is preventing pmlogger from 'create' accesses on the lnk_file pmlogge...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:	abrt_hash:fde702b3d9fda1337170273a81a...
Depends On:	1254080
Blocks:	1333262
TreeView+	depends on / blocked

Reported:	2015-11-27 14:32 UTC by Lukas Berk
Modified:	2020-09-10 09:29 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-3.13.1-66.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1254080
Clones:	1333262 (view as bug list)
Environment:
Last Closed:	2016-11-04 02:25:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Lukas Berk 2015-11-27 14:32:00 UTC

Please backport this fix.  The RHEL7.2 selinux output is as follows:

*****  Plugin catchall (100. confidence) suggests **************************

If you believe that pmlogger should be allowed create access on the
pmlogger.primary.socket lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context
system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                pmlogger.primary.socket [ lnk_file ]
Source                        pmlogger
Source Path                   /usr/bin/pmlogger
Port                          <Unknown>
Host                          bordewijk
Source RPM Packages           pcp-3.10.6-2.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     bordewijk
Platform                      Linux bordewijk 3.10.0-327.el7.x86_64 #1
SMP Thu
                              Oct 29 17:29:29 EDT 2015 x86_64 x86_64
Alert Count                   7
First Seen                    2015-11-20 00:10:11 CET
Last Seen                     2015-11-26 00:10:11 CET
Local ID                      c9cba06f-900a-48df-bd9c-b575df017cd9

Raw Audit Messages
type=AVC msg=audit(1448493011.603:9249): avc:  denied  { create } for
pid=15563 comm="pmlogger" name="pmlogger.primary.socket"
scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1448493011.603:9249): arch=x86_64 syscall=symlink
success=no exit=EACCES a0=7fe58db2ab90 a1=7ffce6bd7300 a2=1000 a3=c
items=0 ppid=15327 pid=15563 auid=992 uid=992 gid=990 euid=992 suid=992
fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=1179 comm=pmlogger
exe=/usr/bin/pmlogger
subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

Hash: pmlogger,pcp_pmlogger_t,var_run_t,lnk_file,create


+++ This bug was initially created as a clone of Bug #1254080 +++

Description of problem:
SELinux is preventing pmlogger from 'create' accesses on the lnk_file pmlogger.primary.socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmlogger should be allowed create access on the pmlogger.primary.socket lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                pmlogger.primary.socket [ lnk_file ]
Source                        pmlogger
Source Path                   pmlogger
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.10.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.5-200.fc22.x86_64 #1 SMP Mon
                              Aug 10 23:38:23 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-08-17 02:55:10 ART
Last Seen                     2015-08-17 02:55:10 ART
Local ID                      0c7ddc98-fe63-42a9-8a07-483ef97e33d9

Raw Audit Messages
type=AVC msg=audit(1439790910.97:2554): avc:  denied  { create } for  pid=15915 comm="pmlogger" name="pmlogger.primary.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file permissive=0


Hash: pmlogger,pcp_pmlogger_t,var_run_t,lnk_file,create

Version-Release number of selected component:
selinux-policy-3.13.1-128.10.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.5-200.fc22.x86_64
type:           libreport

--- Additional comment from Lukas Vrabec on 2015-08-23 12:26:58 EDT ---

commit 677cb44a9f4c9a5deb292cb5c6893e2425737cec
Author: Lukas Vrabec <lvrabec>
Date:   Sun Aug 23 00:18:37 2015 +0200

    Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080)

--- Additional comment from Fedora Update System on 2015-08-24 07:45:57 EDT ---

selinux-policy-3.13.1-128.12.fc22 has been submitted as an update to Fedora 22. https://bugzilla.redhat.com/show_bug.cgi?id=1254080

--- Additional comment from Fedora Update System on 2015-08-24 17:54:39 EDT ---

selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14076

--- Additional comment from Fedora Update System on 2015-08-27 14:23:05 EDT ---

selinux-policy-3.13.1-128.12.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 errata-xmlrpc 2016-11-04 02:25:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.