Bug 1557913 - pmcd.service fails to start and causes lots of SELinux denials
Summary: pmcd.service fails to start and causes lots of SELinux denials
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-19 09:00 UTC by Martin Pitt
Modified: 2019-05-02 21:14 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.1-18.fc28
Clone Of:
Environment:
Last Closed: 2019-05-02 21:14:13 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Martin Pitt 2018-03-19 09:00:05 UTC
Description of problem: On current Fedora 28, pmcd.service does not start at all:

[root@m1 ~]# systemctl status pmcd.service
● pmcd.service - Performance Metrics Collector Daemon
   Loaded: loaded (/usr/lib/systemd/system/pmcd.service; enabled; vendor preset: enabled)
   Active: activating (start) since Mon 2018-03-19 04:54:45 EDT; 57s ago
     Docs: man:pmcd(8)
Cntrl PID: 1347 (pmcd)
    Tasks: 2 (limit: 1155)
   Memory: 2.3M
      CPU: 195ms
   CGroup: /system.slice/pmcd.service
           ├─1347 /bin/sh /usr/share/pcp/lib/pmcd start
           └─1583 pmcd_wait

Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: [Mon Mar 19 04:54:51] pmdaroot(1585) Info: Starting linux agent: /var/lib/pcp/pmdas/linux/pm>
Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: pmdalinux: cannot open log "linux.log" for writing : Permission denied
Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: Log for pmdalinux on m1.cockpit.lan started Mon Mar 19 04:54:51 2018
Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: Error: cannot open PID file /var/run/pcp/pmcd.pid
Mär 19 04:54:51 m1.cockpit.lan pmcd[1347]: [Mon Mar 19 04:54:51] pmcd(1582) Error: pmcd not started due to errors!

This also causes a ton of SELinux denials. At first sight these don't even seem to be related as they don't talk about linux.log or pmcd.pid, but they are surely relevant:


[root@m1 ~]# journalctl -ocat -b | grep avc.*denied | sort -u
audit: type=1400 audit(1521449624.163:159): avc:  denied  { dac_override } for  pid=1174 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449624.425:160): avc:  denied  { dac_override } for  pid=1174 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449625.507:161): avc:  denied  { dac_override } for  pid=1177 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449625.526:162): avc:  denied  { dac_override } for  pid=1178 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449685.707:228): avc:  denied  { module_request } for  pid=1249 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
audit: type=1400 audit(1521449685.711:229): avc:  denied  { module_request } for  pid=1249 comm="pmie" kmod="netdev-0" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
audit: type=1400 audit(1521449685.748:230): avc:  denied  { module_request } for  pid=1259 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
audit: type=1400 audit(1521449691.059:251): avc:  denied  { dac_override } for  pid=1585 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449691.077:252): avc:  denied  { dac_override } for  pid=1586 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449691.099:253): avc:  denied  { dac_override } for  pid=1587 comm="pmdaxfs" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449691.104:254): avc:  denied  { dac_override } for  pid=1588 comm="pmdalinux" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449749.211:256): avc:  denied  { dac_override } for  pid=1598 comm="mv" capability=1  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449749.324:257): avc:  denied  { dac_override } for  pid=1642 comm="mv" capability=1  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449754.251:267): avc:  denied  { dac_override } for  pid=1731 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449754.514:268): avc:  denied  { dac_override } for  pid=1731 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449756.470:269): avc:  denied  { dac_override } for  pid=1734 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449756.489:270): avc:  denied  { dac_override } for  pid=1735 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449818.969:277): avc:  denied  { dac_override } for  pid=1824 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449819.223:278): avc:  denied  { dac_override } for  pid=1824 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449819.474:279): avc:  denied  { dac_override } for  pid=1824 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449883.936:290): avc:  denied  { dac_override } for  pid=1920 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449884.190:291): avc:  denied  { dac_override } for  pid=1920 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
audit: type=1400 audit(1521449884.440:292): avc:  denied  { dac_override } for  pid=1920 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1174 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1177 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1178 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1179 comm="pmdaxfs" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1180 comm="pmdalinux" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1425 comm="mv" capability=1  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1505 comm="pmlogger_check" capability=1  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1582 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1585 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1586 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1587 comm="pmdaxfs" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1588 comm="pmdalinux" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1598 comm="mv" capability=1  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1642 comm="mv" capability=1  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1731 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1734 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1735 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1736 comm="pmdaxfs" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1737 comm="pmdalinux" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1824 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1827 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1828 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1829 comm="pmdaxfs" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1830 comm="pmdalinux" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1920 comm="pmcd" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1923 comm="pmdaroot" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1924 comm="pmdaproc" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1925 comm="pmdaxfs" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { dac_override } for  pid=1926 comm="pmdalinux" capability=1  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
AVC avc:  denied  { module_request } for  pid=1249 comm="pmie" kmod="netdev-0" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1249 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1259 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1263 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1267 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1271 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1321 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1338 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1342 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1344 comm="ps" kmod=6E65746465762D80E42275997F scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1426 comm="systemctl" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
AVC avc:  denied  { module_request } for  pid=1435 comm="pmie" kmod="netdev-" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0



Version-Release number of selected component (if applicable):

# rpm -qa | egrep 'pcp|selinux-pol'
selinux-policy-targeted-3.14.1-14.fc28.noarch
pcp-selinux-4.0.0-2.fc28.x86_64
cockpit-pcp-163.x-1.wip.fc28.x86_64
pcp-conf-4.0.0-2.fc28.x86_64
pcp-4.0.0-2.fc28.x86_64
pcp-libs-4.0.0-2.fc28.x86_64
selinux-policy-3.14.1-14.fc28.noarch


How reproducible: Always


Steps to Reproduce:
1. Install pcp
2. Try to start pmcd.service

Comment 1 Martin Pitt 2018-03-19 09:01:28 UTC
After `setenforce 0`, pmcd.service successfully starts, so it seems the broken log and pid file are related to the SELinux denials after all.

Comment 2 dac.override 2018-03-19 09:46:06 UTC
The module_request events are do to a bug in Linux 4.16 and should be ignored

The dac_override events indicate a bug in the selinux-policy component

This bug report should probably be re-assigned to "selinux-policy"

Comment 3 Martin Pitt 2018-03-19 10:25:24 UTC
Ack, thanks. Reassigning then.

Comment 4 Lukas Vrabec 2018-03-23 15:00:08 UTC
Hi pcp folks, 

Could you please check why pcp needs dac_override? I could be caused by that pcp processes runs as root user but some of the files they accessing have too tight permissions.

Comment 5 Lukas Berk 2018-03-23 15:29:08 UTC
Hi Lukas,

Most of those dac_overrides are on pcp's own files (pcp's daemon, pmcd, starting monitoring agents -- pmda*'s -- )  which then then in turn, are used for metrics gathering and collection.

It's also occurring on cases where the pmlogger service is trying to rotate pcp's own metric archive/log files for proper storage and culling.

By denying this cap it not only stops the service from starting, but stops users from using performance-co pilot to monitor their system and gather metrics.

Please allow this cap in the default policy.

Comment 6 Lukas Vrabec 2018-03-23 15:35:57 UTC
Done.

Comment 7 Fedora Update System 2018-03-25 13:13:06 UTC
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 8 Fedora Update System 2018-03-25 20:33:24 UTC
selinux-policy-3.14.1-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345

Comment 9 Fedora Update System 2018-03-26 21:50:14 UTC
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

Comment 10 Fedora Update System 2018-03-26 22:31:05 UTC
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Martin Pitt 2018-03-28 14:51:14 UTC
I confirm that pmcd.service starts now, but all these dac_override violations still exist (and also module_requests, but I understand they are a separate bug). So reopening now. Or do you want me to file a new bug for these?

Comment 12 Ben Cotton 2019-05-02 19:35:20 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 13 Nathan Scott 2019-05-02 21:14:13 UTC
(In reply to Martin Pitt from comment #11)
> I confirm that pmcd.service starts now, but all these dac_override
> violations still exist (and also module_requests, but I understand they are
> a separate bug). So reopening now. Or do you want me to file a new bug for
> these?

Checking current PCP selinux-policy from the pcp-4.3.2 release, the listed AVCs are resolved now.


Note You need to log in before you can comment on or make changes to this bug.