Description of problem: cockpit and cockpit-pcp is installed and active on this system. The SELinux alerts appear during or after system (re)start. SELinux is preventing find from 'getattr' accesses on the Verzeichnis /proc/irq. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es find standardmäßig erlaubt sein sollte, getattr Zugriff auf irq directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'find' --raw | audit2allow -M my-find # semodule -X 300 -i my-find.pp Additional Information: Source Context system_u:system_r:pcp_pmlogger_t:s0 Target Context system_u:object_r:sysctl_irq_t:s0 Target Objects /proc/irq [ dir ] Source find Source Path find Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-44.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon Dec 17 15:34:44 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-12-28 15:00:40 CET Last Seen 2018-12-28 15:00:40 CET Local ID a89dd773-46a0-4f23-bfde-c2332140d26b Raw Audit Messages type=AVC msg=audit(1546005640.125:274): avc: denied { getattr } for pid=7796 comm="find" path="/proc/irq" dev="proc" ino=4026531861 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0 Hash: find,pcp_pmlogger_t,sysctl_irq_t,dir,getattr Version-Release number of selected component: selinux-policy-3.14.2-44.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.10-300.fc29.x86_64 type: libreport
*** Bug 1662342 has been marked as a duplicate of this bug. ***
*** Bug 1662545 has been marked as a duplicate of this bug. ***
*** Bug 1662440 has been marked as a duplicate of this bug. ***
*** Bug 1662439 has been marked as a duplicate of this bug. ***
*** Bug 1662438 has been marked as a duplicate of this bug. ***
*** Bug 1662437 has been marked as a duplicate of this bug. ***
commit 161e5c5cf24f0056520c9de52f7c09f43674a9d2 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Jan 9 11:17:11 2019 +0100 Allow pcp_pmlogger_t domain to read al sysctls BZ(1662441)
*** Bug 1662392 has been marked as a duplicate of this bug. ***
*** Bug 1662332 has been marked as a duplicate of this bug. ***
*** Bug 1664087 has been marked as a duplicate of this bug. ***
*** Bug 1662026 has been marked as a duplicate of this bug. ***
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
I have rebooted multiple times by now. I am no longer observing this issue, although I am not using testing. $ rpm -qa |grep -i selinux-policy- selinux-policy-3.14.2-44.fc29.noarch $ uname -r 4.19.13-300.fc29.x86_64 Regards Helmut
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.