Bug 2363903 - SELinux is preventing ps from using the sys_admin capability.
Summary: SELinux is preventing ps from using the sys_admin capability.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: 41
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Nathan Scott
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2354167 2360117 2367075 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-03 19:30 UTC by Martin Jørgensen
Modified: 2025-07-15 19:25 UTC (History)
18 users (show)

Fixed In Version: pcp-6.3.7-5.fc41 pcp-6.3.7-4.fc42
Clone Of:
Environment:
Last Closed: 2025-05-22 01:48:20 UTC
Type: ---
Embargoed:
bogado: needinfo-

Attachments (Terms of Use)
dnf history list ; cockpit log entry ; sestatus ; cockpit log entries for setroubleshootd.service (198.00 KB, text/plain)
2025-05-03 19:33 UTC, Martin Jørgensen 		no flags Details
View All

Description Martin Jørgensen 2025-05-03 19:30:07 UTC 
From what I can gather, the title says it all.

I would be grateful if there was a bug reporting CLI tool (for the Fedora Server Edition) that would generate reports for a given log entry or something. I never know exactly what you guys might need.

Something similar to the Problem Reporting Red Hat tool.

Reproducible: Didn't try

Steps to Reproduce:
1. Install Fedora 41 Server Edition
2. Install cockpit
3. Update system using cockpit
4. Restarted system (due to: Failed to initialize NVML: Driver/library version mismatch error)
5. Noticed error occurred.
Actual Results:
I don't know what happened. I am just reporting.


Additional Information:
uname -a
Linux fedora-server 6.14.4-200.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Apr 25 15:45:16 UTC 2025 x86_64 GNU/Linux

sealert -l f730c8d6-a730-4076-acaa-a96df3526d9b
SELinux is preventing ps from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ps should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ps' --raw | audit2allow -M my-ps
# semodule -X 300 -i my-ps.pp


Additional Information:
Source Context                system_u:system_r:pcp_pmie_t:s0
Target Context                system_u:system_r:pcp_pmie_t:s0
Target Objects                Unknown [ capability ]
Source                        ps
Source Path                   ps
Port                          <Unknown>
Host                          fedora-server
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.38-1.fc41.noarch
Local Policy RPM              pcp-selinux-6.3.7-2.fc41.x86_64
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora-server
Platform                      Linux fedora-server 6.14.4-200.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Apr 25 15:45:16 UTC 2025
                              x86_64
Alert Count                   52
First Seen                    2025-05-03 08:24:01 CEST
Last Seen                     2025-05-03 20:28:27 CEST
Local ID                      f730c8d6-a730-4076-acaa-a96df3526d9b

Raw Audit Messages
type=AVC msg=audit(1746296907.485:800): avc:  denied  { sys_admin } for  pid=58471 comm="ps" capability=21  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0


Hash: ps,pcp_pmie_t,pcp_pmie_t,capability,sys_admin


ps --version
ps from procps-ng 4.0.4
Comment 1 Martin Jørgensen 2025-05-03 19:33:56 UTC 
Created attachment 2088270 [details]
dnf history list ; cockpit log entry ; sestatus ; cockpit log entries for setroubleshootd.service
Comment 2 Nathan Scott 2025-05-06 01:47:15 UTC 
Resolved by upstream PR:  https://github.com/performancecopilot/pcp/pull/2201
Comment 3 Nathan Scott 2025-05-12 01:38:40 UTC 
*** Bug 2354167 has been marked as a duplicate of this bug. ***
Comment 4 Nathan Scott 2025-05-13 01:59:03 UTC 
*** Bug 2360117 has been marked as a duplicate of this bug. ***
Comment 5 William Cohen 2025-05-14 00:08:31 UTC 
Builds of pcp-6.3.7-5 for fc41, fc42, and rawhide with the upstream patch to address this issue have been successfully built on koji.fedoraproject.org.
Comment 6 phkoenig 2025-05-15 15:58:19 UTC 
Happens at any time...


reason:         SELinux is preventing ps from using the 'sys_admin' capabilities.
package:        selinux-policy-targeted-41.39-1.fc42.noarch
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.14.5-300.fc42.x86_64
comment:        Happens at any time...
Comment 7 Fedora Update System 2025-05-16 15:23:31 UTC 
FEDORA-2025-8c82dffb1b (pcp-6.3.7-4.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-8c82dffb1b
Comment 8 Fedora Update System 2025-05-17 01:17:19 UTC 
FEDORA-2025-8c82dffb1b has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-8c82dffb1b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-8c82dffb1b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Nathan Scott 2025-05-21 00:16:36 UTC 
*** Bug 2367075 has been marked as a duplicate of this bug. ***
Comment 10 Martin Wolf 2025-05-21 13:08:15 UTC 
I installed the update, but I still get these messages, to be 100% sure I ran fixfiles -B onboot




SELinux is preventing ps from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ps should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ps' --raw | audit2allow -M my-ps
# semodule -X 300 -i my-ps.pp


Additional Information:
Source Context                system_u:system_r:pcp_pmie_t:s0
Target Context                system_u:system_r:pcp_pmie_t:s0
Target Objects                Unknown [ capability ]
Source                        ps
Source Path                   ps
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.40-1.fc42.noarch
Local Policy RPM              pcp-selinux-6.3.7-4.fc42.x86_64
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     example.com
Platform                      Linux example.com 6.14.6-300.fc42.x86_64 #1
                              SMP PREEMPT_DYNAMIC Fri May  9 20:11:19 UTC 2025
                              x86_64
Alert Count                   2580
First Seen                    2025-04-24 21:58:11 CEST
Last Seen                     2025-05-21 14:58:12 CEST
Local ID                      9a5385f2-9492-48a0-963e-44b9f1284b6b

Raw Audit Messages
type=AVC msg=audit(1747832292.86:203): avc:  denied  { sys_admin } for  pid=3328 comm="ps" capability=21  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0


Hash: ps,pcp_pmie_t,pcp_pmie_t,capability,sys_admin
Comment 11 Fedora Update System 2025-05-22 01:48:20 UTC 
FEDORA-2025-8c82dffb1b (pcp-6.3.7-4.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Martin Wolf 2025-05-22 03:25:25 UTC 
Last Seen                     2025-05-22 04:58:12 CEST

Please reopen
Comment 13 Nathan Scott 2025-05-22 03:33:26 UTC 
| Local Policy RPM              pcp-selinux-6.3.7-4.fc42.x86_64

Martin, you'll need the -5 build not -4.

cheers.
Comment 14 Martin Wolf 2025-05-22 03:45:58 UTC 
thank you!
Comment 15 Angie 2025-06-04 09:28:10 UTC 
This has appeared again. A regression may have occurred. @nathans
Comment 16 Angie 2025-06-04 09:34:27 UTC 
Occurs repeatedly with unknown catalyst with latest updates.


reason:         SELinux is preventing /usr/bin/ps from using the 'sys_admin' capabilities.
package:        selinux-policy-targeted-41.41-1.fc42.noarch
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.14.9-300.fc42.x86_64
comment:        Occurs repeatedly with unknown catalyst with latest updates.
Comment 17 Victor Bogado 2025-07-15 19:06:49 UTC 
It's still happening with `pcp-selinux-6.3.7-7.fc42.x86_64`. I just did a second `/.autorelable` boot after months of frustration with this issue. :P Glad I found this bugzilla.
Comment 18 Victor Bogado 2025-07-15 19:08:26 UTC 
@nathans let me know if I can help with any information.
Comment 19 Victor Bogado 2025-07-15 19:25:24 UTC 
Just installed the updates-testing version `pcp-6.3.7-8` with the command : 

```
# dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d396057e40
```

To test if this fixes the issue.
Note You need to log in before you can comment on or make changes to this bug.