Description of problem: On current Fedora 28, pmcd.service does not start at all: [root@m1 ~]# systemctl status pmcd.service ● pmcd.service - Performance Metrics Collector Daemon Loaded: loaded (/usr/lib/systemd/system/pmcd.service; enabled; vendor preset: enabled) Active: activating (start) since Mon 2018-03-19 04:54:45 EDT; 57s ago Docs: man:pmcd(8) Cntrl PID: 1347 (pmcd) Tasks: 2 (limit: 1155) Memory: 2.3M CPU: 195ms CGroup: /system.slice/pmcd.service ├─1347 /bin/sh /usr/share/pcp/lib/pmcd start └─1583 pmcd_wait Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: [Mon Mar 19 04:54:51] pmdaroot(1585) Info: Starting linux agent: /var/lib/pcp/pmdas/linux/pm> Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: pmdalinux: cannot open log "linux.log" for writing : Permission denied Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: Log for pmdalinux on m1.cockpit.lan started Mon Mar 19 04:54:51 2018 Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: Error: cannot open PID file /var/run/pcp/pmcd.pid Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: [Mon Mar 19 04:54:51] pmcd(1582) Error: pmcd not started due to errors! This also causes a ton of SELinux denials. At first sight these don't even seem to be related as they don't talk about linux.log or pmcd.pid, but they are surely relevant: [root@m1 ~]# journalctl -ocat -b | grep avc.*denied | sort -u audit: type=1400 audit(1521449624.163:159): avc: denied { dac_override } for pid=1174 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449624.425:160): avc: denied { dac_override } for pid=1174 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449625.507:161): avc: denied { dac_override } for pid=1177 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449625.526:162): avc: denied { dac_override } for pid=1178 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449685.707:228): avc: denied { module_request } for pid=1249 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 audit: type=1400 audit(1521449685.711:229): avc: denied { module_request } for pid=1249 comm="pmie" kmod="netdev-0" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 audit: type=1400 audit(1521449685.748:230): avc: denied { module_request } for pid=1259 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 audit: type=1400 audit(1521449691.059:251): avc: denied { dac_override } for pid=1585 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449691.077:252): avc: denied { dac_override } for pid=1586 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449691.099:253): avc: denied { dac_override } for pid=1587 comm="pmdaxfs" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449691.104:254): avc: denied { dac_override } for pid=1588 comm="pmdalinux" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449749.211:256): avc: denied { dac_override } for pid=1598 comm="mv" capability=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449749.324:257): avc: denied { dac_override } for pid=1642 comm="mv" capability=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449754.251:267): avc: denied { dac_override } for pid=1731 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449754.514:268): avc: denied { dac_override } for pid=1731 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449756.470:269): avc: denied { dac_override } for pid=1734 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449756.489:270): avc: denied { dac_override } for pid=1735 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449818.969:277): avc: denied { dac_override } for pid=1824 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449819.223:278): avc: denied { dac_override } for pid=1824 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449819.474:279): avc: denied { dac_override } for pid=1824 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449883.936:290): avc: denied { dac_override } for pid=1920 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449884.190:291): avc: denied { dac_override } for pid=1920 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 audit: type=1400 audit(1521449884.440:292): avc: denied { dac_override } for pid=1920 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1174 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1177 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1178 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1179 comm="pmdaxfs" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1180 comm="pmdalinux" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1425 comm="mv" capability=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1505 comm="pmlogger_check" capability=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1582 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1585 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1586 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1587 comm="pmdaxfs" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1588 comm="pmdalinux" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1598 comm="mv" capability=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1642 comm="mv" capability=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1731 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1734 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1735 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1736 comm="pmdaxfs" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1737 comm="pmdalinux" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1824 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1827 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1828 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1829 comm="pmdaxfs" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1830 comm="pmdalinux" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1920 comm="pmcd" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1923 comm="pmdaroot" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1924 comm="pmdaproc" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1925 comm="pmdaxfs" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { dac_override } for pid=1926 comm="pmdalinux" capability=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 AVC avc: denied { module_request } for pid=1249 comm="pmie" kmod="netdev-0" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1249 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1259 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1263 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1267 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1271 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1321 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1338 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1342 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1344 comm="ps" kmod=6E65746465762D80E42275997F scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1426 comm="systemctl" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 AVC avc: denied { module_request } for pid=1435 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Version-Release number of selected component (if applicable): # rpm -qa | egrep 'pcp|selinux-pol' selinux-policy-targeted-3.14.1-14.fc28.noarch pcp-selinux-4.0.0-2.fc28.x86_64 cockpit-pcp-163.x-1.wip.fc28.x86_64 pcp-conf-4.0.0-2.fc28.x86_64 pcp-4.0.0-2.fc28.x86_64 pcp-libs-4.0.0-2.fc28.x86_64 selinux-policy-3.14.1-14.fc28.noarch How reproducible: Always Steps to Reproduce: 1. Install pcp 2. Try to start pmcd.service
After `setenforce 0`, pmcd.service successfully starts, so it seems the broken log and pid file are related to the SELinux denials after all.
The module_request events are do to a bug in Linux 4.16 and should be ignored The dac_override events indicate a bug in the selinux-policy component This bug report should probably be re-assigned to "selinux-policy"
Ack, thanks. Reassigning then.
Hi pcp folks, Could you please check why pcp needs dac_override? I could be caused by that pcp processes runs as root user but some of the files they accessing have too tight permissions.
Hi Lukas, Most of those dac_overrides are on pcp's own files (pcp's daemon, pmcd, starting monitoring agents -- pmda*'s -- ) which then then in turn, are used for metrics gathering and collection. It's also occurring on cases where the pmlogger service is trying to rotate pcp's own metric archive/log files for proper storage and culling. By denying this cap it not only stops the service from starting, but stops users from using performance-co pilot to monitor their system and gather metrics. Please allow this cap in the default policy.
Done.
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345
selinux-policy-3.14.1-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
I confirm that pmcd.service starts now, but all these dac_override violations still exist (and also module_requests, but I understand they are a separate bug). So reopening now. Or do you want me to file a new bug for these?
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
(In reply to Martin Pitt from comment #11) > I confirm that pmcd.service starts now, but all these dac_override > violations still exist (and also module_requests, but I understand they are > a separate bug). So reopening now. Or do you want me to file a new bug for > these? Checking current PCP selinux-policy from the pcp-4.3.2 release, the listed AVCs are resolved now.