1714101 – RHEL 7.7 PCP Upgrade issues

Bug 1714101 - RHEL 7.7 PCP Upgrade issues

Summary: RHEL 7.7 PCP Upgrade issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pcp
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Nathan Scott
QA Contact:	Jan Kurik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1724074 (view as bug list)
Depends On:
Blocks:	1122832 1670353 1777676 1781692 1782198
TreeView+	depends on / blocked

Reported:	2019-05-27 06:44 UTC by Marko Myllynen
Modified:	2020-03-31 19:09 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	No Doc Update
Clone Of:
Clones:	1730206 1777676 1781692 1782198 (view as bug list)
Environment:
Last Closed:	2020-03-31 19:09:14 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	4251761	0	Install	None	Updating or installing PCP (Performance Co-Pilot) may cause lots of AVC denials	2019-06-27 13:01:12 UTC
Red Hat Product Errata	RHBA-2020:0994	0	None	None	None	2020-03-31 19:09:36 UTC

Description Marko Myllynen 2019-05-27 06:44:21 UTC

Description of problem:
Upgrading to latest RHEL 7 PCP package pcp-4.3.2-2.el7 gives several issues.

1) During installation/upgrade of pcp-selinux:

Updating / installing...
   1:pcp-selinux-4.3.2-2.el7          ################################# [100%]
Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/pcpupstream/cil:83
semodule:  Failed!

On dmesg we see these corresponding messages:

[  141.461377] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.493590] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.512245] SELinux:  8 users, 14 roles, 5036 types, 318 bools, 1 sens, 1024 cats
[  141.512248] SELinux:  129 classes, 112449 rules
[  141.515473] SELinux:  Class bpf not defined in policy.
[  141.515474] SELinux: the above unknown classes and permissions will be allowed

2) pmie_check.service is for some reason static unlike other PCP services:

pmie_check.service                            static
pmlogger_check.service                        disabled

Not sure which one is the correct but since everything else is non-static perhaps also change pmie_check.service to be so as well.

3) Stopping PCP services takes few seconds but this is probably still within tolerable range so could be left as is:

# time systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy
systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy  0.02s user 0.04s system 1% cpu 4.329 total

4) There are now tons of PCP SELinux AVCs (I haven't investigated these in detail, many of them are probably fixed in upstream already):

type=AVC msg=audit(1558891535.522:72): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=28939 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tcla
ss=dir permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:74): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute } for  pid=6111 comm="sh" name="ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { read open } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute_no_trans } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { read } for  pid=6057 comm="python" name="libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { open } for  pid=6057 comm="python" path="/etc/libvirt/libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.663:78): avc:  denied  { connectto } for  pid=6057 comm="python" path="/run/libvirt/libvirt-sock-ro" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { read } for  pid=6614 comm="pmproxy" name="disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { open } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:104): avc:  denied  { getattr } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.655:108): avc:  denied  { read } for  pid=6663 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { read } for  pid=6785 comm="runlevel" name="utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { open } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:110): avc:  denied  { lock } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:111): avc:  denied  { execute } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:112): avc:  denied  { read } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { open } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { execute_no_trans } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.872:114): avc:  denied  { read } for  pid=7286 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.100:116): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:118): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:123): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:125): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891544.699:126): avc:  denied  { read } for  pid=21608 comm="pmlogger" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:127): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:129): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891583.480:170): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=37944 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1558891583.481:171): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=9211 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1558891583.481:172): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.112:173): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:175): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.572:188): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:190): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891605.092:192): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1

Version-Release number of selected component (if applicable):
pcp-4.3.2-2.el7

Comment 6 Nathan Scott 2019-06-04 00:44:56 UTC

I believe a PCP rebuild adding dependencies matching latest 7.7 selinux policy should resolve this.

Comment 18 Nathan Scott 2019-06-27 07:21:56 UTC

*** Bug 1724074 has been marked as a duplicate of this bug. ***

Comment 19 Klaas Demter 2019-08-07 09:10:31 UTC

This is creating an error message during every rhel 7.7 update where pcp is installed.

Comment 20 Phil Randal 2019-08-07 12:21:24 UTC

Before attempting to update to 7.7

yum update selinux-policy

If the update's on a schedule, and you couldn't intervene in time,

yum reinstall pcp-selinux

after the update to 7.7 should fix it

Comment 41 errata-xmlrpc 2020-03-31 19:09:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0994

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
chorn
cww
jkurik
klaas
lberk
mcermak
mgoodwin
mkolar
mnewsome
nathans
ofalk
patrickm
peter.vreman
phil.randal
pholica
rhayden
sbroz
snejoshi
yuokada