1601721 – SELinux is preventing pmdalinux from 'unix_read' accesses on the shared memory Unknown.

Bug 1601721 - SELinux is preventing pmdalinux from 'unix_read' accesses on the shared memory Unknown.

Summary: SELinux is preventing pmdalinux from 'unix_read' accesses on the shared memor...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pcp
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Berk
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:d51e8b50d28632d6e19a8d2027d...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-17 05:47 UTC by biakymet
Modified:	2019-01-02 18:08 UTC (History)
CC List:	14 users (show)
Fixed In Version:	pcp-4.3.0-1.fc29 pcp-4.3.0-2.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-24 06:07:37 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description biakymet 2018-07-17 05:47:07 UTC

Description of problem:
Install new updates. Restart computer. It start happen.
SELinux is preventing pmdalinux from 'unix_read' accesses on the shared memory Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmdalinux should be allowed unix_read access on the Unknown shm by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:system_r:iscsid_t:s0
Target Objects                Unknown [ shm ]
Source                        pmdalinux
Source Path                   pmdalinux
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.35.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.17.5-100.fc27.x86_64 #1 SMP Mon
                              Jul 9 19:04:45 UTC 2018 x86_64 x86_64
Alert Count                   30
First Seen                    2018-07-17 07:38:37 CEST
Last Seen                     2018-07-17 07:44:37 CEST
Local ID                      1d27b896-36b4-401f-8201-98a82a657a69

Raw Audit Messages
type=AVC msg=audit(1531806277.341:312): avc:  denied  { unix_read } for  pid=2349 comm="pmdalinux" key=0  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=shm permissive=0


Hash: pmdalinux,pcp_pmcd_t,iscsid_t,shm,unix_read

Version-Release number of selected component:
selinux-policy-3.13.1-283.35.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.17.5-100.fc27.x86_64
type:           libreport

Comment 1 Michel Lind 2018-11-21 19:38:32 UTC

Seeing it on Fedora 29 too (nvidia driver from negativo17 if that's relevant)

Comment 2 Lukas Berk 2018-11-22 02:45:16 UTC

Hi,

Sorry, this seems to have slipped through the cracks, it's been fixed upstream in commit:

commit 3e6e622a12d6bf80202e2446971ad531f2b4eea1
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 21 23:28:39 2018 +0100

It'll make it into the next spin of PCP

Comment 3 Ben Cotton 2018-11-27 13:29:20 UTC

This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Fedora Update System 2018-12-21 04:11:30 UTC

pcp-4.3.0-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3dc05c6d19

Comment 5 Fedora Update System 2018-12-21 04:12:23 UTC

pcp-4.3.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3d0256193e

Comment 6 Fedora Update System 2018-12-22 01:33:31 UTC

pcp-4.3.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3d0256193e

Comment 7 Fedora Update System 2018-12-22 02:58:20 UTC

pcp-4.3.0-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3dc05c6d19

Comment 8 Fedora Update System 2018-12-24 06:07:37 UTC

pcp-4.3.0-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Eduardo 2018-12-26 00:04:08 UTC

Hello,

I just upgraded to Fedora 29 and I am seeing a lot of these AVC denials for pcp. I have these packages:
pcp-4.3.0-1.fc29.x86_64
selinux-policy-3.14.2-44.fc29.noarch

Thank you

here are a couple of the reports:
SELinux is preventing pmdalinux from 'unix_read' accesses on the semaphore labeled httpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmdalinux should be allowed unix_read access on sem labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ sem ]
Source                        pmdalinux
Source Path                   pmdalinux
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon
                              Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count                   208
First Seen                    2018-12-25 18:42:50 EST
Last Seen                     2018-12-25 19:01:02 EST
Local ID                      950734ae-231c-40fc-8674-532bbec5f910

Raw Audit Messages
type=AVC msg=audit(1545782462.243:6563): avc:  denied  { unix_read } for  pid=44827 comm="pmdalinux" key=0  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=sem permissive=0


Hash: pmdalinux,pcp_pmcd_t,httpd_t,sem,unix_read

====
SELinux is preventing pmdalinux from 'read' accesses on the file /usr/sbin/mdadm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmdalinux should be allowed read access on the mdadm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:mdadm_exec_t:s0
Target Objects                /usr/sbin/mdadm [ file ]
Source                        pmdalinux
Source Path                   pmdalinux
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           mdadm-4.1-rc2.0.2.fc29.x86_64
Policy RPM                    selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon
                              Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count                   78
First Seen                    2018-12-25 18:42:50 EST
Last Seen                     2018-12-25 19:01:02 EST
Local ID                      92818fff-5715-4c2d-b692-7e8caa27d7fc

Raw Audit Messages
type=AVC msg=audit(1545782462.243:6566): avc:  denied  { read } for  pid=44827 comm="pmdalinux" name="mdadm" dev="dm-1" ino=115293 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0


Hash: pmdalinux,pcp_pmcd_t,mdadm_exec_t,file,read

===
SELinux is preventing pmdalinux from 'search' accesses on the directory /proc/fs/nfsd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmdalinux should be allowed search access on the nfsd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:nfsd_fs_t:s0
Target Objects                /proc/fs/nfsd [ dir ]
Source                        pmdalinux
Source Path                   pmdalinux
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-44.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon
                              Dec 17 15:34:44 UTC 2018 x86_64 x86_64
Alert Count                   71
First Seen                    2018-12-25 18:42:50 EST
Last Seen                     2018-12-25 19:02:02 EST
Local ID                      cb85b1a0-56e3-4c8f-a4a0-bd524ae6f8bb

Raw Audit Messages
type=AVC msg=audit(1545782522.264:6612): avc:  denied  { search } for  pid=44827 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0


Hash: pmdalinux,pcp_pmcd_t,nfsd_fs_t,dir,search

Comment 10 Fedora Update System 2018-12-26 10:40:27 UTC

pcp-4.3.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0913e3af78

Comment 11 Fedora Update System 2018-12-27 02:58:04 UTC

pcp-4.3.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0913e3af78

Comment 12 Fedora Update System 2019-01-02 02:37:03 UTC

pcp-4.3.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Lukas Berk 2019-01-02 17:36:14 UTC

Hi Eduardo,

(In reply to Eduardo from comment #9)
> I just upgraded to Fedora 29 and I am seeing a lot of these AVC denials for
> pcp. I have these packages:
> pcp-4.3.0-1.fc29.x86_64
> selinux-policy-3.14.2-44.fc29.noarch

Sorry to hear that, thanks for reporting it (because the original bug was fixed upstream, the fedora update system will continue to marked this as closed because the bug is filed in errata).

> 
> *****  Plugin catchall (100. confidence) suggests  
> **************************
> 
> If you believe that pmdalinux should be allowed unix_read access on sem
> labeled httpd_t by default.
[...]
> Raw Audit Messages
> type=AVC msg=audit(1545782462.243:6563): avc:  denied  { unix_read } for 
> pid=44827 comm="pmdalinux" key=0  scontext=system_u:system_r:pcp_pmcd_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=sem permissive=0
[...]
> SELinux is preventing pmdalinux from 'read' accesses on the file
> /usr/sbin/mdadm.
[...]
> Raw Audit Messages
> type=AVC msg=audit(1545782462.243:6566): avc:  denied  { read } for 
> pid=44827 comm="pmdalinux" name="mdadm" dev="dm-1" ino=115293
> scontext=system_u:system_r:pcp_pmcd_t:s0
> tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0
[...]
> SELinux is preventing pmdalinux from 'search' accesses on the directory
> /proc/fs/nfsd.
[...]
> Raw Audit Messages
> type=AVC msg=audit(1545782522.264:6612): avc:  denied  { search } for 
> pid=44827 comm="pmdalinux" name="/" dev="nfsd" ino=1
> scontext=system_u:system_r:pcp_pmcd_t:s0
> tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0

I'm not able to reproduce a single one of these AVC's. Each is marked as 'would be allowed by active policy' by audit2allow.  What version of pcp-selinux do you have installed?
$ rpm -q pcp-selinux

Is the upstream pcp policy active?

$ sudo semodule --list=full | grep pcpupstream

Thanks

Comment 14 Eduardo 2019-01-02 18:08:25 UTC

Hi Lukas,
After the pcp-4.3.0-2.fc28 update the issue is gone.
Thank you for following up,
Eduardo

Note You need to log in before you can comment on or make changes to this bug.