Description of problem: 1. I unplugged my laptop 2. i work more than 1 hour 3. I plugged my laptop back into docking station -- the laptop was in sleeping mode SELinux is preventing pmdalinux from 'unix_read' accesses on the semafor Unknown. ***** Plugin catchall (100. confidence) suggests ************************** Pokud jste přesvědčeni, že má pmdalinux mít ve výchozím stavu přístup unix_read na Unknown sem. Then toto byste měli nahlásit jako chybu. Abyste přístup povolili, můžete vygenerovat lokální modul pravidel. Do prozatím tento přístup povolíte příkazy: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Objects Unknown [ sem ] Source pmdalinux Source Path pmdalinux Port <Neznámé> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.28.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.10-300.fc27.x86_64 #1 SMP Thu Mar 15 17:13:04 UTC 2018 x86_64 x86_64 Alert Count 66 First Seen 2018-04-09 14:33:13 CEST Last Seen 2018-04-09 15:49:13 CEST Local ID 3865f414-f6b5-4a8c-a975-f2212956b8e2 Raw Audit Messages type=AVC msg=audit(1523281753.846:685): avc: denied { unix_read } for pid=2154 comm="pmdalinux" key=-876378888 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=sem permissive=0 Hash: pmdalinux,pcp_pmcd_t,mozilla_plugin_t,sem,unix_read /* note: * the problem occurs after unpluging and then pluging my laptop (Thinkpad T450s) into my docking station. - Using fedora KDE */ Version-Release number of selected component: selinux-policy-3.13.1-283.28.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.10-300.fc27.x86_64 type: libreport
Hi, Any idea whats going on here?
Not precisely, but I know someone who will. From the diagnostics, in PCP we don't manipulate semaphores ourselves but we do have some code extracting metrics from the kernel about them (I'm assuming this is what "sem" refers to in the AVC). Lukas, any other/better ideas? Thanks. $ pminfo ipc.sem ipc.sem.max_semmap ipc.sem.max_semid ipc.sem.max_sem ipc.sem.num_undo ipc.sem.max_perid ipc.sem.max_ops ipc.sem.max_undoent ipc.sem.sz_semundo ipc.sem.max_semval ipc.sem.max_exit ipc.sem.used_sem ipc.sem.tot_sem ipc.sem.key ipc.sem.owner ipc.sem.perms ipc.sem.nsems
That sounds about right, possibly from the various shmctl calls in pmdas/linux/ipc.c I've got a fix in our upstream type enforcement file. That being said, this fix will only apply to mozilla_plugin_t contexts. We'll (probably) eventually hit other contexts over time, it'd be nice to have a fix for all applicable contexts. commit df24d8a50ec5444624fe35a7d9ec5d9f81822251 (HEAD -> master) Author: Lukas Berk <lberk> Date: Wed Apr 18 10:34:35 2018 -0400 selinux: rhbz1565158 ipc.sem metrics 917.out.in - update testcase pcpupstream.te.in - update policy
pcp-4.0.2-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6512e2424f
pcp-4.0.2-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-33d59f9a5f
pcp-4.0.2-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-bfd50f6638
pcp-4.0.2-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-33d59f9a5f
pcp-4.0.2-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6512e2424f
pcp-4.0.2-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bfd50f6638
pcp-4.0.2-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
pcp-4.1.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-dfb77e69f1
pcp-4.1.0-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e351b52702
pcp-4.1.0-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e351b52702
pcp-4.1.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-dfb77e69f1
pcp-4.1.0-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
pcp-4.1.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.