Hide Forgot
Description of problem: Upgrading to latest RHEL 7 PCP package pcp-4.3.2-2.el7 gives several issues. 1) During installation/upgrade of pcp-selinux: Updating / installing... 1:pcp-selinux-4.3.2-2.el7 ################################# [100%] Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/pcpupstream/cil:83 semodule: Failed! On dmesg we see these corresponding messages: [ 141.461377] SELinux: 2048 avtab hash slots, 112449 rules. [ 141.493590] SELinux: 2048 avtab hash slots, 112449 rules. [ 141.512245] SELinux: 8 users, 14 roles, 5036 types, 318 bools, 1 sens, 1024 cats [ 141.512248] SELinux: 129 classes, 112449 rules [ 141.515473] SELinux: Class bpf not defined in policy. [ 141.515474] SELinux: the above unknown classes and permissions will be allowed 2) pmie_check.service is for some reason static unlike other PCP services: pmie_check.service static pmlogger_check.service disabled Not sure which one is the correct but since everything else is non-static perhaps also change pmie_check.service to be so as well. 3) Stopping PCP services takes few seconds but this is probably still within tolerable range so could be left as is: # time systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy 0.02s user 0.04s system 1% cpu 4.329 total 4) There are now tons of PCP SELinux AVCs (I haven't investigated these in detail, many of them are probably fixed in upstream already): type=AVC msg=audit(1558891535.522:72): avc: denied { read } for pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=28939 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tcla ss=dir permissive=1 type=AVC msg=audit(1558891535.522:73): avc: denied { read } for pid=6050 comm="pmdakvm" name="id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.522:73): avc: denied { open } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.522:74): avc: denied { getattr } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.618:75): avc: denied { execute } for pid=6111 comm="sh" name="ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.618:75): avc: denied { read open } for pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.618:75): avc: denied { execute_no_trans } for pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.662:77): avc: denied { read } for pid=6057 comm="python" name="libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.662:77): avc: denied { open } for pid=6057 comm="python" path="/etc/libvirt/libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891535.663:78): avc: denied { connectto } for pid=6057 comm="python" path="/run/libvirt/libvirt-sock-ro" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1558891536.604:103): avc: denied { read } for pid=6614 comm="pmproxy" name="disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.604:103): avc: denied { open } for pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.604:104): avc: denied { getattr } for pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.655:108): avc: denied { read } for pid=6663 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.706:109): avc: denied { read } for pid=6785 comm="runlevel" name="utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.706:109): avc: denied { open } for pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.706:110): avc: denied { lock } for pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.829:111): avc: denied { execute } for pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.829:112): avc: denied { read } for pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.829:113): avc: denied { open } for pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.829:113): avc: denied { execute_no_trans } for pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891536.872:114): avc: denied { read } for pid=7286 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891537.100:116): avc: denied { read } for pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1558891537.101:117): avc: denied { read } for pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891537.101:117): avc: denied { open } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891537.101:118): avc: denied { getattr } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891541.666:123): avc: denied { read } for pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1558891541.666:124): avc: denied { read } for pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891541.666:124): avc: denied { open } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891541.666:125): avc: denied { getattr } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891544.699:126): avc: denied { read } for pid=21608 comm="pmlogger" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891545.091:127): avc: denied { read } for pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1558891545.091:128): avc: denied { read } for pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891545.091:128): avc: denied { open } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891545.091:129): avc: denied { getattr } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891583.480:170): avc: denied { getattr } for pid=6030 comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=37944 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1558891583.481:171): avc: denied { getattr } for pid=6030 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=9211 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1 type=AVC msg=audit(1558891583.481:172): avc: denied { getattr } for pid=6030 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891584.112:173): avc: denied { read } for pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1558891584.113:174): avc: denied { read } for pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891584.113:174): avc: denied { open } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891584.113:175): avc: denied { getattr } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891601.572:188): avc: denied { read } for pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1558891601.573:189): avc: denied { read } for pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891601.573:189): avc: denied { open } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891601.573:190): avc: denied { getattr } for pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1558891605.092:192): avc: denied { read } for pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 Version-Release number of selected component (if applicable): pcp-4.3.2-2.el7
I believe a PCP rebuild adding dependencies matching latest 7.7 selinux policy should resolve this.
*** Bug 1724074 has been marked as a duplicate of this bug. ***
This is creating an error message during every rhel 7.7 update where pcp is installed.
Before attempting to update to 7.7 yum update selinux-policy If the update's on a schedule, and you couldn't intervene in time, yum reinstall pcp-selinux after the update to 7.7 should fix it
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0994