This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
First Last Prev Next    This bug is not in your last search results.
Bug 1381127 - PCP SELinux issues
PCP SELinux issues
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-03 03:33 EDT by Marko Myllynen
Modified: 2017-04-11 00:51 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-11 00:51:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
PCP AVCs (13.24 KB, text/plain)
2016-10-03 03:33 EDT, Marko Myllynen 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Marko Myllynen 2016-10-03 03:33:26 EDT 
Created attachment 1206766 [details]
PCP AVCs

Description of problem:
Fedora 24 + updates + pcp-3.11.5-1.fc24 + SELinux in Permissive + pmcd/pmlogger/pmie services enabled gives the attached AVCs on boot.

This is probably due to SELinux policies but filing initially against the pcp component to give PCP developers a heads-up, at this rate PCP appears as a second class citizen, it's the only component at least on my systems having severe issues with SELinux.

$ wc -l pcp-avcs.txt
54 pcp-avcs.txt

Also see https://bugzilla.redhat.com/show_bug.cgi?id=1337968 which haven't seen any activity in months. But note that this BZ has new AVCs, e.g., the ldconfig one which originates from ctypes/util.py which gets called when a Python PMDA is installed.

grep SYSCALL audit.log gave no hits so if you need more information I'd suggest you to reproduce locally as that should be trivial.

Thanks.

Version-Release number of selected component (if applicable):
pcp-3.11.5-1.fc24.x86_64
selinux-policy-targeted-3.13.1-191.17.fc24.noarch
Comment 1 Nathan Scott 2016-10-04 01:45:19 EDT 
Auditing Marko's attached log shows there's a few categories of failures.

The first lot are wierd things like PCP commands or shell scripts not being able to run system utilities like chown, kill, hostname, which, etc.  I'm unsure what to do with those, will leave for SELinux folk to advise.

Then there's a bunch of new ones, due to things we've changed in PCP I think.  We added a libvirt PMDA to PCP, and there's a few attempted accesses to libvirt config files that are failing.  We've changed some internal PCP shell functions, and one of them is accessing tmp files incorrectly (this one I've fixed now & will merged into upstream PCP shortly).

Then there's some persistent issues - things link /var/log/pcp/pmcd/pmcd.log not being accessible when it should be, likewise the /var/lib/pcp/pmns/root file.  These look like selinux-policy issues once more, so will leave for SElinux folk to advise us further there too.
Comment 2 Fedora Update System 2017-02-18 10:37:02 EST 
pcp-3.11.8-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-201a3e0969
Comment 3 Fedora Update System 2017-02-18 10:38:28 EST 
pcp-3.11.8-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b8f1de90c
Comment 4 Fedora Update System 2017-02-19 19:49:13 EST 
pcp-3.11.8-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-201a3e0969
Comment 5 Fedora Update System 2017-02-20 00:21:43 EST 
pcp-3.11.8-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b8f1de90c
Comment 6 Fedora Update System 2017-02-25 20:36:49 EST 
pcp-3.11.8-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2017-02-27 13:25:37 EST 
pcp-3.11.8-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3b25af744f
Comment 8 Fedora Update System 2017-02-28 21:51:01 EST 
pcp-3.11.8-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3b25af744f
Comment 9 Fedora Update System 2017-04-02 01:17:40 EDT 
pcp-3.11.9-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6c3616693
Comment 10 Fedora Update System 2017-04-02 22:22:36 EDT 
pcp-3.11.9-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6c3616693
Comment 11 Fedora Update System 2017-04-11 00:51:36 EDT 
pcp-3.11.9-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.