1381127 – PCP SELinux issues

Bug 1381127 - PCP SELinux issues

Summary: PCP SELinux issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-03 07:33 UTC by Marko Myllynen
Modified:	2017-04-11 04:51 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-11 04:51:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
PCP AVCs (13.24 KB, text/plain) 2016-10-03 07:33 UTC, Marko Myllynen	no flags	Details
View All

Description Marko Myllynen 2016-10-03 07:33:26 UTC

Created attachment 1206766 [details]
PCP AVCs

Description of problem:
Fedora 24 + updates + pcp-3.11.5-1.fc24 + SELinux in Permissive + pmcd/pmlogger/pmie services enabled gives the attached AVCs on boot.

This is probably due to SELinux policies but filing initially against the pcp component to give PCP developers a heads-up, at this rate PCP appears as a second class citizen, it's the only component at least on my systems having severe issues with SELinux.

$ wc -l pcp-avcs.txt
54 pcp-avcs.txt

Also see https://bugzilla.redhat.com/show_bug.cgi?id=1337968 which haven't seen any activity in months. But note that this BZ has new AVCs, e.g., the ldconfig one which originates from ctypes/util.py which gets called when a Python PMDA is installed.

grep SYSCALL audit.log gave no hits so if you need more information I'd suggest you to reproduce locally as that should be trivial.

Thanks.

Version-Release number of selected component (if applicable):
pcp-3.11.5-1.fc24.x86_64
selinux-policy-targeted-3.13.1-191.17.fc24.noarch

Comment 1 Nathan Scott 2016-10-04 05:45:19 UTC

Auditing Marko's attached log shows there's a few categories of failures.

The first lot are wierd things like PCP commands or shell scripts not being able to run system utilities like chown, kill, hostname, which, etc.  I'm unsure what to do with those, will leave for SELinux folk to advise.

Then there's a bunch of new ones, due to things we've changed in PCP I think.  We added a libvirt PMDA to PCP, and there's a few attempted accesses to libvirt config files that are failing.  We've changed some internal PCP shell functions, and one of them is accessing tmp files incorrectly (this one I've fixed now & will merged into upstream PCP shortly).

Then there's some persistent issues - things link /var/log/pcp/pmcd/pmcd.log not being accessible when it should be, likewise the /var/lib/pcp/pmns/root file.  These look like selinux-policy issues once more, so will leave for SElinux folk to advise us further there too.

Comment 2 Fedora Update System 2017-02-18 15:37:02 UTC

pcp-3.11.8-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-201a3e0969

Comment 3 Fedora Update System 2017-02-18 15:38:28 UTC

pcp-3.11.8-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b8f1de90c

Comment 4 Fedora Update System 2017-02-20 00:49:13 UTC

pcp-3.11.8-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-201a3e0969

Comment 5 Fedora Update System 2017-02-20 05:21:43 UTC

pcp-3.11.8-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b8f1de90c

Comment 6 Fedora Update System 2017-02-26 01:36:49 UTC

pcp-3.11.8-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2017-02-27 18:25:37 UTC

pcp-3.11.8-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3b25af744f

Comment 8 Fedora Update System 2017-03-01 02:51:01 UTC

pcp-3.11.8-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3b25af744f

Comment 9 Fedora Update System 2017-04-02 05:17:40 UTC

pcp-3.11.9-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6c3616693

Comment 10 Fedora Update System 2017-04-03 02:22:36 UTC

pcp-3.11.9-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6c3616693

Comment 11 Fedora Update System 2017-04-11 04:51:36 UTC

pcp-3.11.9-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.