Created attachment 1206766 [details] PCP AVCs Description of problem: Fedora 24 + updates + pcp-3.11.5-1.fc24 + SELinux in Permissive + pmcd/pmlogger/pmie services enabled gives the attached AVCs on boot. This is probably due to SELinux policies but filing initially against the pcp component to give PCP developers a heads-up, at this rate PCP appears as a second class citizen, it's the only component at least on my systems having severe issues with SELinux. $ wc -l pcp-avcs.txt 54 pcp-avcs.txt Also see https://bugzilla.redhat.com/show_bug.cgi?id=1337968 which haven't seen any activity in months. But note that this BZ has new AVCs, e.g., the ldconfig one which originates from ctypes/util.py which gets called when a Python PMDA is installed. grep SYSCALL audit.log gave no hits so if you need more information I'd suggest you to reproduce locally as that should be trivial. Thanks. Version-Release number of selected component (if applicable): pcp-3.11.5-1.fc24.x86_64 selinux-policy-targeted-3.13.1-191.17.fc24.noarch
Auditing Marko's attached log shows there's a few categories of failures. The first lot are wierd things like PCP commands or shell scripts not being able to run system utilities like chown, kill, hostname, which, etc. I'm unsure what to do with those, will leave for SELinux folk to advise. Then there's a bunch of new ones, due to things we've changed in PCP I think. We added a libvirt PMDA to PCP, and there's a few attempted accesses to libvirt config files that are failing. We've changed some internal PCP shell functions, and one of them is accessing tmp files incorrectly (this one I've fixed now & will merged into upstream PCP shortly). Then there's some persistent issues - things link /var/log/pcp/pmcd/pmcd.log not being accessible when it should be, likewise the /var/lib/pcp/pmns/root file. These look like selinux-policy issues once more, so will leave for SElinux folk to advise us further there too.
pcp-3.11.8-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-201a3e0969
pcp-3.11.8-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b8f1de90c
pcp-3.11.8-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-201a3e0969
pcp-3.11.8-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b8f1de90c
pcp-3.11.8-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.11.8-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3b25af744f
pcp-3.11.8-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3b25af744f
pcp-3.11.9-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6c3616693
pcp-3.11.9-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6c3616693
pcp-3.11.9-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.