This seems like a duplicate of #2354167 however that bug is closed by the reporter, and the se-troubleshooter/abrt doesn't allow reopening closed bugs. SELinux is preventing ps from using the sys_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ps should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ps' --raw | audit2allow -M my-ps # semodule -X 300 -i my-ps.pp Additional Information: Source Context system_u:system_r:pcp_pmie_t:s0 Target Context system_u:system_r:pcp_pmie_t:s0 Target Objects Unknown [ capability ] Source ps Source Path ps Port Host fedora Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-41.36-1.fc42.noarch Local Policy RPM pcp-selinux-6.3.7-1.fc42.x86_64 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 6.14.2-300.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 10 21:50:55 UTC 2025 x86_64 Alert Count 18 First Seen 2025-04-16 12:51:06 IDT Last Seen 2025-04-16 15:29:04 IDT Local ID c848b05a-badd-483c-b4f1-e2b160243657 Raw Audit Messages type=AVC msg=audit(1744806544.912:354): avc: denied { sys_admin } for pid=46484 comm="ps" capability=21 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0 Hash: ps,pcp_pmie_t,pcp_pmie_t,capability,sys_admin Reproducible: Sometimes
pcp ships their own policy
I can confirm this issue is still present. It happens when pmie_farm_check.service is triggered by its timer. There seems to be a missing policy in pcp-selinux package. Looking at the package, there are policies to allow sys_admin capability to other roles (i.e. pcp_pmcd_t, pcp_pmlogger_t), but not for pcp_pmie_t.
*** This bug has been marked as a duplicate of bug 2363903 ***