Bug 1714101 - RHEL 7.7 PCP Upgrade issues
Summary: RHEL 7.7 PCP Upgrade issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcp
Version: 7.7
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Nathan Scott
QA Contact: Jan Kurik
URL:
Whiteboard:
: 1724074 (view as bug list)
Depends On:
Blocks: 1122832 1670353 1777676 1781692 1782198
TreeView+ depends on / blocked
 
Reported: 2019-05-27 06:44 UTC by Marko Myllynen
Modified: 2020-03-31 19:09 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
No Doc Update
Clone Of:
: 1730206 1777676 1781692 1782198 (view as bug list)
Environment:
Last Closed: 2020-03-31 19:09:14 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4251761 Install None Updating or installing PCP (Performance Co-Pilot) may cause lots of AVC denials 2019-06-27 13:01:12 UTC
Red Hat Product Errata RHBA-2020:0994 None None None 2020-03-31 19:09:36 UTC

Description Marko Myllynen 2019-05-27 06:44:21 UTC 
Description of problem:
Upgrading to latest RHEL 7 PCP package pcp-4.3.2-2.el7 gives several issues.

1) During installation/upgrade of pcp-selinux:

Updating / installing...
   1:pcp-selinux-4.3.2-2.el7          ################################# [100%]
Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/400/pcpupstream/cil:83
semodule:  Failed!

On dmesg we see these corresponding messages:

[  141.461377] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.493590] SELinux: 2048 avtab hash slots, 112449 rules.
[  141.512245] SELinux:  8 users, 14 roles, 5036 types, 318 bools, 1 sens, 1024 cats
[  141.512248] SELinux:  129 classes, 112449 rules
[  141.515473] SELinux:  Class bpf not defined in policy.
[  141.515474] SELinux: the above unknown classes and permissions will be allowed

2) pmie_check.service is for some reason static unlike other PCP services:

pmie_check.service                            static
pmlogger_check.service                        disabled

Not sure which one is the correct but since everything else is non-static perhaps also change pmie_check.service to be so as well.

3) Stopping PCP services takes few seconds but this is probably still within tolerable range so could be left as is:

# time systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy
systemctl stop pmcd pmlogger pmie pmwebd pmmgr pmproxy  0.02s user 0.04s system 1% cpu 4.329 total

4) There are now tons of PCP SELinux AVCs (I haven't investigated these in detail, many of them are probably fixed in upstream already):

type=AVC msg=audit(1558891535.522:72): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=28939 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tcla
ss=dir permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:73): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.522:74): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/tracing/events/kvm/kvm_exit/id" dev="debugfs" ino=29234 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute } for  pid=6111 comm="sh" name="ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { read open } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.618:75): avc:  denied  { execute_no_trans } for  pid=6111 comm="sh" path="/usr/sbin/ldconfig" dev="dm-3" ino=48825 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { read } for  pid=6057 comm="python" name="libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.662:77): avc:  denied  { open } for  pid=6057 comm="python" path="/etc/libvirt/libvirt.conf" dev="dm-3" ino=270471553 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891535.663:78): avc:  denied  { connectto } for  pid=6057 comm="python" path="/run/libvirt/libvirt-sock-ro" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { read } for  pid=6614 comm="pmproxy" name="disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:103): avc:  denied  { open } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.604:104): avc:  denied  { getattr } for  pid=6614 comm="pmproxy" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=6848 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.655:108): avc:  denied  { read } for  pid=6663 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { read } for  pid=6785 comm="runlevel" name="utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:109): avc:  denied  { open } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.706:110): avc:  denied  { lock } for  pid=6785 comm="runlevel" path="/run/utmp" dev="tmpfs" ino=32175 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:111): avc:  denied  { execute } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:112): avc:  denied  { read } for  pid=7175 comm="pmie_check" name="hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { open } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.829:113): avc:  denied  { execute_no_trans } for  pid=7178 comm="pmie_check" path="/usr/bin/hostname" dev="dm-3" ino=402711587 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891536.872:114): avc:  denied  { read } for  pid=7286 comm="pmie" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.100:116): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:117): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891537.101:118): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:123): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:124): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891541.666:125): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891544.699:126): avc:  denied  { read } for  pid=21608 comm="pmlogger" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:127): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:128): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891545.091:129): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891583.480:170): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=37944 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1558891583.481:171): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=9211 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1558891583.481:172): avc:  denied  { getattr } for  pid=6030 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.112:173): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:174): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891584.113:175): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.572:188): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:189): avc:  denied  { open } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891601.573:190): avc:  denied  { getattr } for  pid=6050 comm="pmdakvm" path="/sys/kernel/debug/kvm/largepages" dev="debugfs" ino=29798 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1558891605.092:192): avc:  denied  { read } for  pid=6050 comm="pmdakvm" name="kvm" dev="debugfs" ino=29762 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1

Version-Release number of selected component (if applicable):
pcp-4.3.2-2.el7
Comment 6 Nathan Scott 2019-06-04 00:44:56 UTC 
I believe a PCP rebuild adding dependencies matching latest 7.7 selinux policy should resolve this.
Comment 18 Nathan Scott 2019-06-27 07:21:56 UTC 
*** Bug 1724074 has been marked as a duplicate of this bug. ***
Comment 19 Klaas Demter 2019-08-07 09:10:31 UTC 
This is creating an error message during every rhel 7.7 update where pcp is installed.
Comment 20 Phil Randal 2019-08-07 12:21:24 UTC 
Before attempting to update to 7.7

yum update selinux-policy

If the update's on a schedule, and you couldn't intervene in time,

yum reinstall pcp-selinux

after the update to 7.7 should fix it
Comment 41 errata-xmlrpc 2020-03-31 19:09:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0994
Note You need to log in before you can comment on or make changes to this bug.