Description of problem: I upgraded from Fedora 28 to Fedora 29, and started experiencing a huge number of these warnings. SELinux is preventing pmdalinux from using the 'ipc_owner' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should have the ipc_owner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Unknown [ capability ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-42.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.5-300.fc29.x86_64 #1 SMP Tue Nov 27 19:29:23 UTC 2018 x86_64 x86_64 Alert Count 14294 First Seen 2018-12-01 17:37:19 EET Last Seen 2018-12-02 12:51:10 EET Local ID 805b61d1-bf8d-4a41-935b-b974dfcee4be Raw Audit Messages type=AVC msg=audit(1543747870.318:637): avc: denied { ipc_owner } for pid=4897 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 Hash: pmdalinux,pcp_pmcd_t,pcp_pmcd_t,capability,ipc_owner Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.5-300.fc29.x86_64 type: libreport
Also installed is pcp-selinux-4.2.0-1.fc29.x86_64
commit 7b8db99bf6e3163c64754cea624fce74707c1325 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Dec 19 16:27:44 2018 +0100 Add ipc_owner capability to pcp_pmcd_t domain BZ(1655282)
I observe it also in pcp-4.3.0-2.fc29.x86_64 - the latest version available in koji. @Lukas Do you plan to release the new version anytime soon? I wanted to apply the change locally, but I can't find this commit in https://src.fedoraproject.org/cgit/rpms/pcp.git/ and https://github.com/performancecopilot/pcp .
Confirmed here too. Upgrade from 28 to 29_64 now results in nonstop selinux AVC denial warnings. SELinux is preventing pmdalinux from using the ipc_owner capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdalinux should have the ipc_owner capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux # semodule -X 300 -i my-pmdalinux.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Unknown [ capability ] Source pmdalinux Source Path pmdalinux Port <Unknown> Host jonnyslaptop-localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-44.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name jonnyslaptop-localdomain Platform Linux jonnyslaptop-localdomain 4.19.13-300.fc29.x86_64 #1 SMP Sat Dec 29 22:54:28 UTC 2018 x86_64 x86_64 Alert Count 223 First Seen 2019-01-07 19:26:39 EST Last Seen 2019-01-07 20:08:00 EST Local ID 21b0832f-4aa7-4038-8c38-dd48a0ea1a7b Raw Audit Messages type=AVC msg=audit(1546909680.8:897): avc: denied { ipc_owner } for pid=1687 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 Hash: pmdalinux,pcp_pmcd_t,pcp_pmcd_t,capability,ipc_owner Cheers, Jon
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.