Bug 1565158 - SELinux is preventing pmdalinux from 'unix_read' accesses on the semafor Unknown.
Summary: SELinux is preventing pmdalinux from 'unix_read' accesses on the semafor Unkn...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Berk
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:15e35dd881f69aec6943558d149...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-09 13:56 UTC by Jan Houska
Modified: 2018-06-23 20:47 UTC (History)
11 users (show)

Fixed In Version: pcp-4.0.2-2.fc26 pcp-4.1.0-2.fc27 pcp-4.1.0-2.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-22 14:28:49 UTC
Type: ---


Attachments (Terms of Use)

Description Jan Houska 2018-04-09 13:56:43 UTC
Description of problem:
1. I unplugged my laptop
2. i work more than 1 hour
3.  I plugged my laptop back into docking station -- the laptop was in sleeping mode
SELinux is preventing pmdalinux from 'unix_read' accesses on the semafor Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

Pokud jste přesvědčeni, že má pmdalinux mít ve výchozím stavu přístup unix_read na Unknown sem.
Then toto byste měli nahlásit jako chybu.
Abyste přístup povolili, můžete vygenerovat lokální modul pravidel.
Do
prozatím tento přístup povolíte příkazy:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Objects                Unknown [ sem ]
Source                        pmdalinux
Source Path                   pmdalinux
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.28.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.15.10-300.fc27.x86_64 #1 SMP Thu
                              Mar 15 17:13:04 UTC 2018 x86_64 x86_64
Alert Count                   66
First Seen                    2018-04-09 14:33:13 CEST
Last Seen                     2018-04-09 15:49:13 CEST
Local ID                      3865f414-f6b5-4a8c-a975-f2212956b8e2

Raw Audit Messages
type=AVC msg=audit(1523281753.846:685): avc:  denied  { unix_read } for  pid=2154 comm="pmdalinux" key=-876378888  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=sem permissive=0


Hash: pmdalinux,pcp_pmcd_t,mozilla_plugin_t,sem,unix_read

/* note:
 * the problem occurs after unpluging and then pluging my laptop (Thinkpad T450s) into my docking station. - Using fedora KDE 
 */


Version-Release number of selected component:
selinux-policy-3.13.1-283.28.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.10-300.fc27.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2018-04-13 15:46:42 UTC
Hi, 

Any idea whats going on here?

Comment 2 Nathan Scott 2018-04-15 22:22:29 UTC
Not precisely, but I know someone who will.  From the diagnostics, in PCP we don't manipulate semaphores ourselves but we do have some code extracting metrics from the kernel about them (I'm assuming this is what "sem" refers to in the AVC).  Lukas, any other/better ideas?  Thanks.

$ pminfo ipc.sem
ipc.sem.max_semmap
ipc.sem.max_semid
ipc.sem.max_sem
ipc.sem.num_undo
ipc.sem.max_perid
ipc.sem.max_ops
ipc.sem.max_undoent
ipc.sem.sz_semundo
ipc.sem.max_semval
ipc.sem.max_exit
ipc.sem.used_sem
ipc.sem.tot_sem
ipc.sem.key
ipc.sem.owner
ipc.sem.perms
ipc.sem.nsems

Comment 3 Lukas Berk 2018-04-18 14:37:23 UTC
That sounds about right, possibly from the various shmctl calls in pmdas/linux/ipc.c

I've got a fix in our upstream type enforcement file.  That being said, this fix will only apply to mozilla_plugin_t contexts.  We'll (probably) eventually hit other contexts over time, it'd be nice to have a fix for all applicable contexts.


commit df24d8a50ec5444624fe35a7d9ec5d9f81822251 (HEAD -> master)
Author: Lukas Berk <lberk@redhat.com>
Date:   Wed Apr 18 10:34:35 2018 -0400

    selinux: rhbz1565158 ipc.sem metrics
    
    917.out.in        - update testcase
    pcpupstream.te.in - update policy

Comment 4 Fedora Update System 2018-05-11 06:31:49 UTC
pcp-4.0.2-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6512e2424f

Comment 5 Fedora Update System 2018-05-11 06:33:52 UTC
pcp-4.0.2-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-33d59f9a5f

Comment 6 Fedora Update System 2018-05-11 06:34:37 UTC
pcp-4.0.2-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-bfd50f6638

Comment 7 Fedora Update System 2018-05-11 17:37:19 UTC
pcp-4.0.2-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-33d59f9a5f

Comment 8 Fedora Update System 2018-05-11 18:52:09 UTC
pcp-4.0.2-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6512e2424f

Comment 9 Fedora Update System 2018-05-11 19:27:36 UTC
pcp-4.0.2-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bfd50f6638

Comment 10 Fedora Update System 2018-05-22 14:28:49 UTC
pcp-4.0.2-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-06-15 07:37:29 UTC
pcp-4.1.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-dfb77e69f1

Comment 12 Fedora Update System 2018-06-15 07:37:55 UTC
pcp-4.1.0-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e351b52702

Comment 13 Fedora Update System 2018-06-15 14:09:35 UTC
pcp-4.1.0-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e351b52702

Comment 14 Fedora Update System 2018-06-15 16:35:35 UTC
pcp-4.1.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-dfb77e69f1

Comment 15 Fedora Update System 2018-06-23 19:56:19 UTC
pcp-4.1.0-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2018-06-23 20:47:02 UTC
pcp-4.1.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.