Description of problem: The setroubleshooter is guiding how to resolve this, but since this is with a default install, we probably should not put the burden of understanding and resolving this on end users as it reduces end user confidence in using both pcp and selinux. SELinux is preventing logger from read access on the lnk_file log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that logger should be allowed read access on the log lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'logger' --raw | audit2allow -M my-logger # semodule -X 300 -i my-logger.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0 Target Context system_u:object_r:devlog_t:s0 Target Objects log [ lnk_file ] Source logger Source Path logger Port Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 10 First Seen 2017-08-11 11:16:43 EDT Last Seen 2017-08-20 08:13:54 EDT Local ID 4920543c-0ab4-4119-aa26-e48930f0cadb Raw Audit Messages type=AVC msg=audit(1503231234.86:337): avc: denied { read } for pid=11626 comm="logger" name="log" dev="devtmpfs" ino=12576 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 Hash: logger,pcp_pmlogger_t,devlog_t,lnk_file,read Version-Release number of selected component (if applicable): [tbowling@tbowling ~]$ rpm -qa |grep pcp pcp-pmda-bonding-3.11.10-1.fc26.x86_64 pcp-libs-3.11.10-1.fc26.x86_64 cockpit-pcp-147-1.fc26.x86_64 pcp-3.11.10-1.fc26.x86_64 pcp-import-collectl2pcp-3.11.10-1.fc26.x86_64 pcp-pmda-mysql-3.11.10-1.fc26.x86_64 pcp-pmda-dm-3.11.10-1.fc26.x86_64 pcp-doc-3.11.10-1.fc26.noarch pcp-conf-3.11.10-1.fc26.x86_64 pcp-selinux-3.11.10-1.fc26.x86_64 pcp-pmda-postgresql-3.11.10-1.fc26.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Similar related messages SELinux is preventing pmcd from getattr access on the file /var/lib/pcp/pmns/root. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed getattr access on the root file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:pcp_var_lib_t:s0 Target Objects /var/lib/pcp/pmns/root [ file ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID 85140039-7264-4084-a808-8aa07508be57 Raw Audit Messages type=AVC msg=audit(1503231116.228:160): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/lib/pcp/pmns/root" dev="dm-1" ino=528105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0 Hash: pmcd,init_t,pcp_var_lib_t,file,getattr
SELinux is preventing pmcd from getattr access on the file /var/lib/pcp/pmns/root. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed getattr access on the root file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:pcp_var_lib_t:s0 Target Objects /var/lib/pcp/pmns/root [ file ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID 85140039-7264-4084-a808-8aa07508be57 Raw Audit Messages type=AVC msg=audit(1503231116.228:160): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/lib/pcp/pmns/root" dev="dm-1" ino=528105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0 Hash: pmcd,init_t,pcp_var_lib_t,file,getattr
SELinux is preventing pmcd from getattr access on the file /var/log/pcp/pmcd/linux.log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed getattr access on the linux.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:pcp_log_t:s0 Target Objects /var/log/pcp/pmcd/linux.log [ file ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 30 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID 43707352-6ec5-4905-92e7-c3dc3b44affd Raw Audit Messages type=AVC msg=audit(1503231116.247:168): avc: denied { getattr } for pid=1443 comm="pmcd" path="/var/log/pcp/pmcd/linux.log" dev="dm-1" ino=525838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=file permissive=0 Hash: pmcd,init_t,pcp_log_t,file,getattr
SELinux is preventing pmcd from read access on the directory /var/log/pcp/pmcd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed read access on the pmcd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:pcp_log_t:s0 Target Objects /var/log/pcp/pmcd [ dir ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages pcp-3.11.10-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 10 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID db6b609b-bc1b-4886-b6e1-d80bfa671936 Raw Audit Messages type=AVC msg=audit(1503231116.247:169): avc: denied { read } for pid=1443 comm="pmcd" name="pmcd" dev="dm-1" ino=528316 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=dir permissive=0 Hash: pmcd,init_t,pcp_log_t,dir,read
SELinux is preventing pmcd from read access on the directory /var/lib/pcp/pmdas. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmcd should be allowed read access on the pmdas directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmcd' --raw | audit2allow -M my-pmcd # semodule -X 300 -i my-pmcd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:pcp_var_lib_t:s0 Target Objects /var/lib/pcp/pmdas [ dir ] Source pmcd Source Path pmcd Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages pcp-3.11.10-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 15 First Seen 2017-08-11 11:14:38 EDT Last Seen 2017-08-20 08:11:56 EDT Local ID b2c6cd9f-ca5d-458c-91f6-10c91ff889f3 Raw Audit Messages type=AVC msg=audit(1503231116.513:173): avc: denied { read } for pid=1763 comm="pmcd" name="pmdas" dev="dm-1" ino=528225 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 Hash: pmcd,init_t,pcp_var_lib_t,dir,read
SELinux is preventing pmlogger_check from execute_no_trans access on the file /usr/bin/pmlogger. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmlogger_check should be allowed execute_no_trans access on the pmlogger file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmlogger_check' --raw | audit2allow -M my-pmloggercheck # semodule -X 300 -i my-pmloggercheck.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0 Target Context system_u:object_r:pcp_pmlogger_exec_t:s0 Target Objects /usr/bin/pmlogger [ file ] Source pmlogger_check Source Path pmlogger_check Port <Unknown> Host tbowling.localdomain Source RPM Packages Target RPM Packages pcp-3.11.10-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.4.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name tbowling.localdomain Platform Linux tbowling.localdomain 4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-08-11 11:14:43 EDT Last Seen 2017-08-20 08:12:01 EDT Local ID c7099b4f-07e6-4d4e-9c87-5387d81ddee3 Raw Audit Messages type=AVC msg=audit(1503231121.190:289): avc: denied { execute_no_trans } for pid=6768 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1080417 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0 Hash: pmlogger_check,pcp_pmlogger_t,pcp_pmlogger_exec_t,file,execute_no_trans
Thanks for reporting these Terry, 5/6 of these denials are already handled in the upstream policy package. I've added the remaining denial and will be pushing it upstream shortly. I've reached out the selinux folks to see why this might be happening for the remaining denial messages.
pcp-3.12.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d09a03d294
pcp-3.12.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3267272d85
pcp-3.12.2-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d09a03d294
pcp-3.12.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3267272d85
pcp-3.12.2-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
pcp-3.12.2-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.