Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Paul Evans tells me that this is fixed in upstream pcp, as it has its own policy package, but the patch isn't in RHEL7 yet. Changing component accordingly.
Hi Steve,
Lukas is on PTO for the next little while, so I'll answer here. It may be too late in the release cycle for 7.6, but we can certainly try - it's not a problem to backport selinux fixes from an engr POV (very low risk change). I've set the devel-ack flag, lets see what the PM & QE folk say.
cheers.
If we cannot fix it (which would be my preferred solution) it will at least need a release note, since it is not useable with selinux without this. I know it is late in the cycle now, but it was picked up as an issue some time ago, and as you mention it should be a low risk change.
Hi Nathan, Steve,
The fix with the required additional selinux permissions has been merged upstream since 25th July (and was tested against RHEL 7 with SELinux enabled) with the following commit:
5ca37da22a907af28e5f977bf10fa28704bb5f68 - selinux: pmdagfs2 add additional required rule
Cheers,
Paul
Patch is successfully applied but reported selinux denials should be covered by
'allow pcp_pmcd_t debugfs_t:file { getattr open read };' rule which is already present in pcp-4.1.0-2.el7.
Hi Michal, Nathan,
Patch adds both:
'allow pcp_pmcd_t debugfs_t:dir { search };' and
'allow pcp_pmcd_t debugs_t:file { write };'
which are additional to pcp-4.1.0-2.el7.
These extra components to the rules are needed by the PMDA on startup to enable the kernel tracepoints.
Cheers,
Paul
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2018:3095
[root@qe-c01-m01 ~]# rpm -q selinux-policy pcp-pmda-gfs2 selinux-policy-3.13.1-207.el7.noarch pcp-pmda-gfs2-4.1.0-2.el7.s390x [root@qe-c01-m01 ~]# uname -r 3.10.0-924.el7.s390x [root@qe-c01-m01 ~]# pminfo -f gfs2.glocks.total gfs2.glocks.total No value(s) available! [root@qe-c01-m01 ~]# setenforce permissive [root@qe-c01-m01 ~]# pminfo -f gfs2.glocks.total gfs2.glocks.total inst [0 or "s390-cluster1:s390-cluster10"] value 130 inst [1 or "s390-cluster1:s390-cluster11"] value 130 inst [2 or "s390-cluster1:s390-cluster12"] value 130 [root@qe-c01-m01 ~]# setenforce enforcing [root@qe-c01-m01 ~]# pminfo -f gfs2.glocks.total gfs2.glocks.total No value(s) available! [root@qe-c01-m01 ~]# aureport -a | tail 47247. 19/07/18 13:00:12 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 5 file open system_u:object_r:debugfs_t:s0 denied 39752 47248. 19/07/18 13:00:25 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 39755 47249. 19/07/18 13:00:35 in:imjournal system_u:system_r:syslogd_t:s0 5 file write system_u:object_r:unlabeled_t:s0 denied 39756 47250. 19/07/18 13:01:01 ? system_u:system_r:init_t:s0 0 (null) (null) (null) unset 39760 47251. 19/07/18 13:01:01 ? system_u:system_r:init_t:s0 0 (null) (null) (null) unset 39761 47252. 19/07/18 13:13:42 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 39774 47253. 19/07/18 13:13:44 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 5 file read system_u:object_r:debugfs_t:s0 denied 39775 47254. 19/07/18 13:13:44 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 5 file open system_u:object_r:debugfs_t:s0 denied 39775 47255. 19/07/18 13:13:44 pmdagfs2 system_u:system_r:pcp_pmcd_t:s0 108 file getattr system_u:object_r:debugfs_t:s0 denied 39776 47256. 19/07/18 13:13:50 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 39778