Hide Forgot
Description of problem: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown Inconnu. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que pmdakvm devrait être autorisé à accéder integrity sur Inconnu lockdown par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "pmdakvm" --raw | audit2allow -M my-pmdakvm # semodule -X 300 -i my-pmdakvm.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Inconnu [ lockdown ] Source pmdakvm Source Path pmdakvm Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.2-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.2-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.12-300.fc34.x86_64 #1 SMP Wed Apr 7 16:31:13 UTC 2021 x86_64 x86_64 Alert Count 13 First Seen 2021-04-09 08:41:43 CEST Last Seen 2021-04-09 08:53:00 CEST Local ID 590687c3-ccb8-45ce-a990-fed516311d62 Raw Audit Messages type=AVC msg=audit(1617951180.350:792): avc: denied { integrity } for pid=2224 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0 Hash: pmdakvm,pcp_pmcd_t,pcp_pmcd_t,lockdown,integrity Version-Release number of selected component: selinux-policy-targeted-34.2-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.12-300.fc34.x86_64 type: libreport
Sylvain, Do you know when this AVC denial is triggered? Have you made some modifications to the pcp configuration?
I'm seeing what looks like this (in English) after an update to Fedora 34, which I see immediately after logging in. I'm not aware of having made any modifications to pcp configuration. SELinux is preventing pmdakvm from integrity access on the lockdown labeled pcp_pmcd_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdakvm should be allowed integrity access on lockdown labeled pcp_pmcd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdakvm' --raw | audit2allow -M my-pmdakvm # semodule -X 300 -i my-pmdakvm.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:system_r:pcp_pmcd_t:s0 Target Objects Unknown [ lockdown ] Source pmdakvm Source Path pmdakvm Port <Unknown> Host gibbie Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name gibbie Platform Linux gibbie 5.11.15-300.fc34.x86_64 #1 SMP Fri Apr 16 13:41:48 UTC 2021 x86_64 x86_64 Alert Count 16 First Seen 2021-04-27 20:25:35 EDT Last Seen 2021-04-27 20:39:35 EDT Local ID 86208312-814d-4fe7-98fe-392e1bb80ed8 Raw Audit Messages type=AVC msg=audit(1619570375.580:1032): avc: denied { integrity } for pid=1100 comm="pmdakvm" lockdown_reason="debugfs access" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=lockdown permissive=0 Hash: pmdakvm,pcp_pmcd_t,pcp_pmcd_t,lockdown,integrity
I didn't even know what this was until I upgraded from Fedora 33 to Fedora 34. I've already gotten 405 alerts on this in just a few hours of up time since the upgrade.
Same issue with a fresh install of Fedora 34 Server. ways to reproduce: install Minimal Fedora Server 34 install cockpit* install selinux-policy-devel and you have the same error
Similar problem has been detected: Just keeps happeneing like once every 60 seconds or something. hashmarkername: setroubleshoot kernel: 5.11.15-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown labeled pcp_pmcd_t. type: libreport
Similar problem has been detected: This happened after upgrade from F33->F34 and /.autorelabel. pmdakvm is doing work in the background. hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown labeled pcp_pmcd_t. type: libreport
Similar problem has been detected: Upgraded to Fedora 34 from Fedora 33. hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown labeled pcp_pmcd_t. type: libreport
Similar problem has been detected: This is occurring after Initial boots from F34 system immediately after dnf system-upgrade from F33. hashmarkername: setroubleshoot kernel: 5.11.17-300.fc34.x86_64 package: selinux-policy-targeted-34.4-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown labeled pcp_pmcd_t. type: libreport
Similar problem has been detected: Upgraded to F34 I suppose. There are 17000+ messages about this and counting. hashmarkername: setroubleshoot kernel: 5.11.15-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown labeled pcp_pmcd_t. type: libreport
Similar problem has been detected: Les messages arrivent depuis la dernière mise à jour (9 mai 2021) hashmarkername: setroubleshoot kernel: 5.11.18-300.fc34.x86_64 package: selinux-policy-targeted-34.5-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown Inconnu. type: libreport
Similar problem has been detected: The problem occurred immediately after logging into Gnome after installing Fedora 34. hashmarkername: setroubleshoot kernel: 5.11.18-300.fc34.x86_64 package: selinux-policy-targeted-34.6-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown labeled pcp_pmcd_t. type: libreport
I've managed to find the root cause and submitted a Fedora PR to address the issue, now awaiting review: https://github.com/fedora-selinux/selinux-policy/pull/730
*** Bug 1959388 has been marked as a duplicate of this bug. ***
FEDORA-2021-ec18a84d86 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ec18a84d86
Similar problem has been detected: I'm seeing these after an update to Fedora 34 after logging in hashmarkername: setroubleshoot kernel: 5.11.19-300.fc34.x86_64 package: selinux-policy-targeted-34.6-1.fc34.noarch reason: SELinux is preventing pmdakvm from 'integrity' accesses on the lockdown labeled pcp_pmcd_t. type: libreport
FEDORA-2021-ec18a84d86 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ec18a84d86` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ec18a84d86 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
The update appears to fix this for me.
FEDORA-2021-ec18a84d86 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
Also on my system, since applying the update, the AVC messages have stopped.