Description of problem: In our cockpit tests which we just started running against Fedora 34 detected a new SELinux violation: audit: type=1400 audit(1613478021.402:346): avc: denied { integrity } for pid=808 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0 Version-Release number of selected component (if applicable): pcp-5.2.3-2.fc34.x86_64.rpm pcp-selinux-5.2.3-2.fc34.x86_64.rpm selinux-policy-3.14.8-1.fc35.noarch kernel version == 5.11.0-0.rc7.20210212git291009f656e8.151.fc35.x86_64 How reproducible: I am not sure what in our tests exactly causes this, but it's happening to the majority of them. If that is legitimate activity, please reassign to selinux-policy and adjust the policy accordingly. I attach the full journal here [1], in case it's useful. (Our test logs get cleaned up after a few weeks) [1] https://logs.cockpit-project.org/logs/pull-1685-20210216-120946-834fccca-fedora-34-cockpit-project-cockpit/TestApps-testBasic-fedora-34-127.0.0.2-2501-FAIL.log.gz
Hi Katerina, Could you paste/attach the contents of /sys/kernel/security/lockdown and /var/log/pcp/pmcd/kvm.log from this machine? Thanks!
Hi Nathan, [root@m1 ~]# cat /sys/kernel/security/lockdown [none] integrity confidentiality [root@m1 ~]# cat /var/log/pcp/pmcd/kvm.log Log for pmdakvm on m1.cockpit.lan started Thu Feb 18 07:34:06 2021 Let me know if I can help somehow else.
I'm also getting this (after upgrade F33=>F34) periodically: type=AVC msg=audit(1614257948.307:5442): avc: denied { integrity } for pid=1568 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0
Fix is upstream, will arrive via next PCP update (pcp-5.3.0). commit 53e1e75d9dbec73b5da2904732b9d83efb4e642c Author: Nathan Scott <nathans> Date: Tue Mar 23 13:28:38 2021 +1100 selinux: add conditional lockdown policy access by pmdakvm
FEDORA-2021-bdd9ac9a83 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-bdd9ac9a83
FEDORA-2021-7df3eeacf8 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8
FEDORA-2021-bdd9ac9a83 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-bdd9ac9a83` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-bdd9ac9a83 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-a62f9adc26 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a62f9adc26` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a62f9adc26 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-7df3eeacf8 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-7df3eeacf8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
This also has crept into RHEL 9 beta now. Do you want a separate bug for tracking this, or do you plan to update 9beta anyway? Thank you!
There was a new PCP build in el9 just yesterday, so it may be fixed already - what PCP version do you have there Martin? No need for a new BZ as further updates are planned too. cheers.
I just did an image refresh in https://github.com/cockpit-project/bots/pull/1955 which is how I noticed that. This has pcp-5.2.5-5.el9.x86_64, which is the most current version in el9 according to brew (built on April 17 6 days ago). Yesterday I only see a RHEL 8 build (pcp-5.3.0-3.el8)
My mistake, I was thinking of the el8 build - we'll push through an el9 build early next week. Thanks Martin!
(In reply to Fedora Update System from comment #9) > FEDORA-2021-7df3eeacf8 has been pushed to the Fedora 34 testing repository. > Soon you'll be able to install the update with the following command: > `sudo dnf upgrade --enablerepo=updates-testing > --advisory=FEDORA-2021-7df3eeacf8` > You can provide feedback for this update here: > https://bodhi.fedoraproject.org/updates/FEDORA-2021-7df3eeacf8 > > See also https://fedoraproject.org/wiki/QA:Updates_Testing for more > information on how to test updates. I have tried the suggested update on the Fedora 34 (just upgraded from 33) and it didn't fix the problem. I still see this: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Unknown [ lockdown ] Source pmdakvm Source Path pmdakvm Port <Unknown> Host home Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name home Platform Linux home 5.11.15-300.fc34.x86_64 #1 SMP Fri Apr 16 13:41:48 UTC 2021 x86_64 x86_64 Alert Count 59 First Seen 2021-04-27 20:17:34 EDT Last Seen 2021-04-27 21:25:48 EDT Local ID 4e29def5-d4f2-4c7c-8af0-5061dafba77f Raw Audit Messages type=AVC msg=audit(1619573148.625:803): avc: denied { integrity } for pid=1585 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0
Yep, I'm seeing it too - looking into it now, thanks.
Fixed upstream, will arrive in pcp-5.3.1 commit e4523aa66ad9e3381086f2ba8c0e07cfa3661e51 (HEAD -> main) Author: Nathan Scott <nathans> Date: Fri Apr 30 11:25:56 2021 +1000 selinux: fix detection of lockdown policy class Resolves Fedora BZ #1929259
Hi pcp folks, FYI the same bug was reported on selinux-policy and has a fix on the way, too: bz#1947749
FEDORA-2021-002f2eabcc has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-002f2eabcc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-002f2eabcc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-84cefda88c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-84cefda88c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-84cefda88c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-84cefda88c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-002f2eabcc has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.