Description of problem: Install new updates. Restart computer. It start happen. SELinux is preventing pmdalinux from 'unix_read' accesses on the shared memory Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should be allowed unix_read access on the Unknown shm by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:iscsid_t:s0 Target Objects Unknown [ shm ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.35.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.17.5-100.fc27.x86_64 #1 SMP Mon Jul 9 19:04:45 UTC 2018 x86_64 x86_64 Alert Count 30 First Seen 2018-07-17 07:38:37 CEST Last Seen 2018-07-17 07:44:37 CEST Local ID 1d27b896-36b4-401f-8201-98a82a657a69 Raw Audit Messages type=AVC msg=audit(1531806277.341:312): avc: denied { unix_read } for pid=2349 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=shm permissive=0 Hash: pmdalinux,pcp_pmcd_t,iscsid_t,shm,unix_read Version-Release number of selected component: selinux-policy-3.13.1-283.35.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.17.5-100.fc27.x86_64 type: libreport
Seeing it on Fedora 29 too (nvidia driver from negativo17 if that's relevant)
Hi, Sorry, this seems to have slipped through the cracks, it's been fixed upstream in commit: commit 3e6e622a12d6bf80202e2446971ad531f2b4eea1 Author: Lukas Vrabec <lvrabec> Date: Wed Nov 21 23:28:39 2018 +0100 It'll make it into the next spin of PCP
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
pcp-4.3.0-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3dc05c6d19
pcp-4.3.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3d0256193e
pcp-4.3.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3d0256193e
pcp-4.3.0-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3dc05c6d19
pcp-4.3.0-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Hello, I just upgraded to Fedora 29 and I am seeing a lot of these AVC denials for pcp. I have these packages: pcp-4.3.0-1.fc29.x86_64 selinux-policy-3.14.2-44.fc29.noarch Thank you here are a couple of the reports: SELinux is preventing pmdalinux from 'unix_read' accesses on the semaphore labeled httpd_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should be allowed unix_read access on sem labeled httpd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:httpd_t:s0 Target Objects Unknown [ sem ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-44.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon Dec 17 15:34:44 UTC 2018 x86_64 x86_64 Alert Count 208 First Seen 2018-12-25 18:42:50 EST Last Seen 2018-12-25 19:01:02 EST Local ID 950734ae-231c-40fc-8674-532bbec5f910 Raw Audit Messages type=AVC msg=audit(1545782462.243:6563): avc: denied { unix_read } for pid=44827 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=sem permissive=0 Hash: pmdalinux,pcp_pmcd_t,httpd_t,sem,unix_read ==== SELinux is preventing pmdalinux from 'read' accesses on the file /usr/sbin/mdadm. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should be allowed read access on the mdadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:mdadm_exec_t:s0 Target Objects /usr/sbin/mdadm [ file ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages mdadm-4.1-rc2.0.2.fc29.x86_64 Policy RPM selinux-policy-3.14.2-44.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon Dec 17 15:34:44 UTC 2018 x86_64 x86_64 Alert Count 78 First Seen 2018-12-25 18:42:50 EST Last Seen 2018-12-25 19:01:02 EST Local ID 92818fff-5715-4c2d-b692-7e8caa27d7fc Raw Audit Messages type=AVC msg=audit(1545782462.243:6566): avc: denied { read } for pid=44827 comm="pmdalinux" name="mdadm" dev="dm-1" ino=115293 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0 Hash: pmdalinux,pcp_pmcd_t,mdadm_exec_t,file,read === SELinux is preventing pmdalinux from 'search' accesses on the directory /proc/fs/nfsd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should be allowed search access on the nfsd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:nfsd_fs_t:s0 Target Objects /proc/fs/nfsd [ dir ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-44.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon Dec 17 15:34:44 UTC 2018 x86_64 x86_64 Alert Count 71 First Seen 2018-12-25 18:42:50 EST Last Seen 2018-12-25 19:02:02 EST Local ID cb85b1a0-56e3-4c8f-a4a0-bd524ae6f8bb Raw Audit Messages type=AVC msg=audit(1545782522.264:6612): avc: denied { search } for pid=44827 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0 Hash: pmdalinux,pcp_pmcd_t,nfsd_fs_t,dir,search
pcp-4.3.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0913e3af78
pcp-4.3.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0913e3af78
pcp-4.3.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Hi Eduardo, (In reply to Eduardo from comment #9) > I just upgraded to Fedora 29 and I am seeing a lot of these AVC denials for > pcp. I have these packages: > pcp-4.3.0-1.fc29.x86_64 > selinux-policy-3.14.2-44.fc29.noarch Sorry to hear that, thanks for reporting it (because the original bug was fixed upstream, the fedora update system will continue to marked this as closed because the bug is filed in errata). > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that pmdalinux should be allowed unix_read access on sem > labeled httpd_t by default. [...] > Raw Audit Messages > type=AVC msg=audit(1545782462.243:6563): avc: denied { unix_read } for > pid=44827 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 > tcontext=system_u:system_r:httpd_t:s0 tclass=sem permissive=0 [...] > SELinux is preventing pmdalinux from 'read' accesses on the file > /usr/sbin/mdadm. [...] > Raw Audit Messages > type=AVC msg=audit(1545782462.243:6566): avc: denied { read } for > pid=44827 comm="pmdalinux" name="mdadm" dev="dm-1" ino=115293 > scontext=system_u:system_r:pcp_pmcd_t:s0 > tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0 [...] > SELinux is preventing pmdalinux from 'search' accesses on the directory > /proc/fs/nfsd. [...] > Raw Audit Messages > type=AVC msg=audit(1545782522.264:6612): avc: denied { search } for > pid=44827 comm="pmdalinux" name="/" dev="nfsd" ino=1 > scontext=system_u:system_r:pcp_pmcd_t:s0 > tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0 I'm not able to reproduce a single one of these AVC's. Each is marked as 'would be allowed by active policy' by audit2allow. What version of pcp-selinux do you have installed? $ rpm -q pcp-selinux Is the upstream pcp policy active? $ sudo semodule --list=full | grep pcpupstream Thanks
Hi Lukas, After the pcp-4.3.0-2.fc28 update the issue is gone. Thank you for following up, Eduardo