2397077 – pmda-hdb triggers a selinux AVC

Bug 2397077 - pmda-hdb triggers a selinux AVC

Summary: pmda-hdb triggers a selinux AVC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pcp
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	sfeifer
QA Contact:	Jan Kurik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-20 09:25 UTC by Jan Kurik
Modified:	2025-11-29 16:43 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pcp-7.0.3-1.fc43
Clone Of:
Environment:
Last Closed:	2025-11-20 19:06:02 UTC
Type:	---
Embargoed:
Dependent Products:
Flags:	sfeifer: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-2409	0	None	None	None	2025-09-30 14:47:40 UTC

Description Jan Kurik 2025-09-20 09:25:45 UTC

The hdb PMDA (SAP HANA) is triggering an AVC during its registration.

Reproducible: Always

Steps to Reproduce:
1. Install pcp-pmda-hdb package
2. Register the hdb PMDA:
  cd /var/lib/pcp/pmdas/hdb && ./Install
3. Check for AVCs
  ausearch -m AVC
  audit2allow -a
Actual Results:
The ausearch command returns:
type=AVC msg=audit(1758359498.699:1886): avc:  denied  { write } for  pid=37994 comm="python3" name="SQLDBC.shm" dev="vda2" ino=397255 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

The audit2allow command returns:
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t admin_home_t:file write;

Expected Results:
No AVCs reported

Additional Information:
It seems like the AVC is caused by the hdbcli/pyhdbcli. This is not present in Fedora as a package and thus there is no selinux policy for it. However during the hdb PMDA run, the hdbcli/pyhdbcli needs some extra selinux permission.

Comment 1 Fedora Update System 2025-11-05 15:54:06 UTC

FEDORA-2025-dfc9e95675 (pcp-7.0.2-2.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-dfc9e95675

Comment 2 Fedora Update System 2025-11-06 03:13:38 UTC

FEDORA-2025-bd02f269a3 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-bd02f269a3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-bd02f269a3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2025-11-13 02:00:02 UTC

FEDORA-2025-ccd9893b75 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-ccd9893b75`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-ccd9893b75

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2025-11-29 16:43:39 UTC

FEDORA-2025-ccd9893b75 (pcp-7.0.3-1.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.