-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5
-
None
-
pcp-6.2.2-1.el9
-
Normal
-
Customer Reported
-
sst_pt_pcp
-
ssg_platform_tools
-
22
-
1
-
QE ack, Dev ack
-
False
-
-
Red Hat Enterprise Linux
-
PCP Sprint 3, PCP Sprint 5
-
Pass
-
Automated
-
-
x86_64
What were you trying to do that didn't work?
*SELinux violations pmie and pmlogger with nsfs_t
*
Please provide the package NVR for which bug is seen:
*selinux-policy-38.1.23-1.el9_3.2.noarch Sat Feb 17 20:09:16 2024
*
How reproducible:
~~~
$ sudo audit2allow -a
#============= pcp_pmie_t ==============
allow pcp_pmie_t nsfs_t:file getattr;
#============= pcp_pmlogger_t ==============
allow pcp_pmlogger_t nsfs_t:file getattr;
~~~
~~~
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ sudo ausearch -i -m avc,user_avc -ts today -se pcp_pmie_t | tail -n10
node=li-lc-2859 type=PATH msg=audit(03/12/2024 13:58:29.629:10436) : item=0 name=/proc/163187/ns/uts inode=4026531838 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=li-lc-2859 type=CWD msg=audit(03/12/2024 13:58:29.629:10436) : cwd=/var/lib/pcp
node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 13:58:29.629:10436) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fffbdb727e0 a2=0x7fffbdb72820 a3=0x0 items=1 ppid=163116 pid=163187 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmie_t:s0 key=(null)
node=li-lc-2859 type=AVC msg=audit(03/12/2024 13:58:29.629:10436) : avc: denied
----
node=li-lc-2859 type=PROCTITLE msg=audit(03/12/2024 13:58:29.630:10437) : proctitle=pstree -asp 163116
node=li-lc-2859 type=PATH msg=audit(03/12/2024 13:58:29.630:10437) : item=0 name=/proc/163187/ns/time inode=4026531834 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=li-lc-2859 type=CWD msg=audit(03/12/2024 13:58:29.630:10437) : cwd=/var/lib/pcp
node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 13:58:29.630:10437) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fffbdb727e0 a2=0x7fffbdb72820 a3=0x0 items=1 ppid=163116 pid=163187 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmie_t:s0 key=(null)
node=li-lc-2859 type=AVC msg=audit(03/12/2024 13:58:29.630:10437) : avc: denied { getattr }
for pid=163187 comm=pstree path=time:[4026531834] dev="nsfs" ino=4026531834 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ sudo ausearch -i -m avc,user_avc -ts today -se pcp_pmlogger_t | tail -n10
node=li-lc-2859 type=PATH msg=audit(03/12/2024 14:25:05.454:57162) : item=0 name=/proc/171997/ns/uts inode=4026531838 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=li-lc-2859 type=CWD msg=audit(03/12/2024 14:25:05.454:57162) : cwd=/var/lib/pcp
node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 14:25:05.454:57162) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff32da29a0 a2=0x7fff32da29e0 a3=0x0 items=1 ppid=171963 pid=171997 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null)
node=li-lc-2859 type=AVC msg=audit(03/12/2024 14:25:05.454:57162) : avc: denied
{ getattr }
for pid=171997 comm=pstree path=uts:[4026531838] dev="nsfs" ino=4026531838 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
node=li-lc-2859 type=PROCTITLE msg=audit(03/12/2024 14:25:05.454:57163) : proctitle=pstree -asp 171963
node=li-lc-2859 type=PATH msg=audit(03/12/2024 14:25:05.454:57163) : item=0 name=/proc/171997/ns/time inode=4026531834 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
node=li-lc-2859 type=CWD msg=audit(03/12/2024 14:25:05.454:57163) : cwd=/var/lib/pcp
node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 14:25:05.454:57163) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff32da29a0 a2=0x7fff32da29e0 a3=0x0 items=1 ppid=171963 pid=171997 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null)
node=li-lc-2859 type=AVC msg=audit(03/12/2024 14:25:05.454:57163) : avc: denied { getattr }
for pid=171997 comm=pstree path=time:[4026531834] dev="nsfs" ino=4026531834 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
[VMWare] vrempet-admin@test@li-lc-2859 ~
$
~~~
The SELinux AVCs are even on a server seen that is not having NFS mounts:
~~~
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ findmnt -tnfs4,nfs
[VMWare] vrempet-admin@test@li-lc-2859 ~
$
~~~
Reproducer is to restart pmie and pmloger:
~~~
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ sudo find /var/log/audit -type f -ls -delete
17261634 102408 r------- 1 root root 104857649 Jan 28 21:25 /var/log/audit/audit.log.6
17261633 102408 r------- 1 root root 104857646 Feb 7 00:55 /var/log/audit/audit.log.5
17261637 102408 r------- 1 root root 104857799 Feb 16 05:55 /var/log/audit/audit.log.4
17261310 102408 r------- 1 root root 104857648 Feb 25 09:25 /var/log/audit/audit.log.3
17261639 102408 r------- 1 root root 104857787 Mar 5 12:55 /var/log/audit/audit.log.2
17459039 102408 r------- 1 root root 104857605 Mar 12 04:55 /var/log/audit/audit.log.1
17260963 66112 rw------ 1 root root 51300282 Mar 12 14:28 /var/log/audit/audit.log
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ sudo service auditd restart
Stopping logging:
Redirecting start to /bin/systemctl start auditd.service
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ sudo audit2allow -a
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ sudo systemctl restart pmie pmlogger
[VMWare] vrempet-admin@test@li-lc-2859 ~
$ sudo audit2allow -a
#============= pcp_pmie_t ==============
allow pcp_pmie_t nsfs_t:file getattr;
#============= pcp_pmlogger_t ==============
allow pcp_pmlogger_t nsfs_t:file getattr;
[VMWare] vrempet-admin@test@li-lc-2859 ~
$
~~~
Expected results
Actual results
- relates to
-
RHEL-39508 AVC seen when pstree executes from pcp_pmlogger_t context
- New
- split to
-
RHEL-39422 [Dev] SELinux policy violations pmie and pmlogger with nsfs_t
- Closed
- links to
-
RHBA-2024:129301 pcp bug fix and enhancement update