Description of problem: started getting sealert reports after installing the latest selinux-policy-35.10-1.fc35 SELinux is preventing pmdakvm from 'search' accesses on the directory /sys/kernel/tracing. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pmdakvm should be allowed search access on the tracing directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pmdakvm' --raw | audit2allow -M my-pmdakvm # semodule -X 300 -i my-pmdakvm.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:tracefs_t:s0 Target Objects /sys/kernel/tracing [ dir ] Source pmdakvm Source Path pmdakvm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.15.15-200.fc35.x86_64 #1 SMP Sun Jan 16 17:37:06 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-01-19 05:52:33 EST Last Seen 2022-01-19 05:52:33 EST Local ID 6e5b1ba9-121f-453a-9289-fa2dba9b00f7 Raw Audit Messages type=AVC msg=audit(1642589553.515:244): avc: denied { search } for pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 Hash: pmdakvm,pcp_pmcd_t,tracefs_t,dir,search Version-Release number of selected component: selinux-policy-targeted-35.10-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.15.15-200.fc35.x86_64 type: libreport
*** Bug 2046669 has been marked as a duplicate of this bug. ***
*** Bug 2063470 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Logged into Xfce. hashmarkername: setroubleshoot kernel: 5.17.0-0.rc7.116.fc36.x86_64 package: selinux-policy-targeted-36.3-1.fc36.noarch reason: SELinux is preventing pmdakvm from 'search' accesses on the directory /sys/kernel/tracing. type: libreport
commit 8243739f5c964e72c6d1267086d0121a16e3615a Author: Nikola Knazekova <nknazeko> Date: Tue Sep 6 15:19:59 2022 +0200 Allow pcp pmcd search tracefs and acct_data dirs Allow Performance Metrics Domain Agent (PMDA) search accesses on the directory /sys/kernel/tracing. Addresses the following AVC denial: type=AVC msg=audit(1642589553.515:244): avc: denied { search } for pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 Resolves: bz#2041845 Allow pmdaproc search accesses on the directory /var/account. Add interface to allow search process accounting data. Addresses the following AVC denial: type=AVC msg=audit(1642589553.499:243): avc: denied { search } for pid=2036 comm="pmdaproc" name="account" dev="sdf1" ino=9175045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=0 Resolves: bz#2041843
*** Bug 2123928 has been marked as a duplicate of this bug. ***
*** Bug 2123929 has been marked as a duplicate of this bug. ***
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
Similar problem has been detected: Just installed system. First boot these came up hashmarkername: setroubleshoot kernel: 5.17.5-300.fc36.x86_64 package: selinux-policy-targeted-36.7-1.fc36.noarch reason: SELinux is preventing pmdakvm from 'search' accesses on the directory /sys/kernel/tracing. type: libreport