1714101 – RHEL 7.7 PCP Upgrade issues

Bug 1714101 - RHEL 7.7 PCP Upgrade issues

Summary: RHEL 7.7 PCP Upgrade issues

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pcp
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Nathan Scott
QA Contact:	Jan Kurik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1724074 (view as bug list)
Depends On:
Blocks:	1670353
TreeView+	depends on / blocked

Reported:	2019-05-27 06:44 UTC by Marko Myllynen
Modified:	2019-09-06 09:19 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	No Doc Update
Clone Of:
Clones:	1730206 (view as bug list)
Environment:
Last Closed:	2019-06-26 20:35:26 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	4251761	Install	None	Updating or installing PCP (Performance Co-Pilot) may cause lots of AVC denials	2019-06-27 13:01:12 UTC

Description Marko Myllynen 2019-05-27 06:44:21 UTC

Description of problem:
Upgrading to latest RHEL 7 PCP package pcp-4.3.2-2.el7 gives several issues.

1) During installation/upgrade of pcp-selinux:

Updating / installing...
   1:pcp-selinux-4.3.2-2.el7          ################################# [100%]
Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/pcpupstream/cil:83
semodule:  Failed!

On dmesg we see these corresponding messages:

[  141.461377] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.493590] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.512245] SELinux:  8 users, 14 roles, 5036 types, 318 bools, 1 sens, 1024 cats
[  141.512248] SELinux:  129 classes, 112449 rules
[  141.515473] SELinux:  Class bpf not defined in policy.
[  141.515474] SELinux: the above unknown classes and permissions will be allowed

2) pmie_check.service is for some reason static unlike other PCP services:

pmie_check.service                            static
pmlogger_check.service                        disabled

Not sure which one is the correct but since everything else is non-static perhaps also change pmie_check.service to be so as well.

3) Stopping PCP services takes few seconds but this is probably still within tolerable range so could be left as is:

# time systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy
systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy  0.02s user 0.04s system 1% cpu 4.329 total

4) There are now tons of PCP SELinux AVCs (I haven't investigated these in detail, many of them are probably fixed in upstream already):

type=AVC msg=audit(1558891535.522:72): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=28939 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tcla
ss=dir permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:74): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute } for  pid=6111 comm="sh" name="ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { read open } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute_no_trans } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { read } for  pid=6057 comm="python" name="libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { open } for  pid=6057 comm="python" path="/etc/libvirt/libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.663:78): avc:  denied  { connectto } for  pid=6057 comm="python" path="/run/libvirt/libvirt-sock-ro" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { read } for  pid=6614 comm="pmproxy" name="disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { open } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:104): avc:  denied  { getattr } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.655:108): avc:  denied  { read } for  pid=6663 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { read } for  pid=6785 comm="runlevel" name="utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { open } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:110): avc:  denied  { lock } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:111): avc:  denied  { execute } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:112): avc:  denied  { read } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { open } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { execute_no_trans } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.872:114): avc:  denied  { read } for  pid=7286 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.100:116): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:118): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:123): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:125): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891544.699:126): avc:  denied  { read } for  pid=21608 comm="pmlogger" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:127): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:129): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891583.480:170): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=37944 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1558891583.481:171): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=9211 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1558891583.481:172): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.112:173): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:175): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.572:188): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:190): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891605.092:192): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1

Version-Release number of selected component (if applicable):
pcp-4.3.2-2.el7

Comment 6 Nathan Scott 2019-06-04 00:44:56 UTC

I believe a PCP rebuild adding dependencies matching latest 7.7 selinux policy should resolve this.

Comment 18 Nathan Scott 2019-06-27 07:21:56 UTC

*** Bug 1724074 has been marked as a duplicate of this bug. ***

Comment 19 Klaas Demter 2019-08-07 09:10:31 UTC

This is creating an error message during every rhel 7.7 update where pcp is installed.

Comment 20 Phil Randal 2019-08-07 12:21:24 UTC

Before attempting to update to 7.7

yum update selinux-policy

If the update's on a schedule, and you couldn't intervene in time,

yum reinstall pcp-selinux

after the update to 7.7 should fix it

Note You need to log in before you can comment on or make changes to this bug.