Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-132402

selinux AVC when using pmdarocestat

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.2
    • pcp
    • None
    • None
    • Moderate
    • 1
    • rhel-pt-pcp
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • PT PCP Next Sprint(s)
    • None
    • Automated
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Disclaimer: Work on this ticket requires access to hardware that takes 1-2 weeks to get after requesting access. Take this into account when planning into a sprint or multiple sprints.

      What were you trying to do that didn't work?

      When using pmdarocestat, I am getting selinux AVC. This AVC is generated by ibdev2netdev utility used by the  pmdarocestat to get rocestat.lane.* metrics.

      What is the impact of this issue to you?

      selinux reports AVC

      Please provide the package NVR for which the bug is seen:

      pcp-pmda-rocestat-7.0.3-1.el10

      How reproducible is this bug?:

      Always when a fetch of a rocestat.lane.* metric is performed.

      Steps to reproduce

      1. On a system with PCP and pmdarocestat is installed fetch a rocestat.lane.* metric
        pminfo -f rocestat.lane
      2. Check for selinux AVC
        # audit2allow -a
        #============= pcp_pmcd_t ==============
        allow pcp_pmcd_t ifconfig_exec_t:file { execute execute_no_trans };

      Expected results

      No AVC is generated

      Actual results

      # audit2allow -a
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t ifconfig_exec_t:file \{ execute execute_no_trans };

 

# ausearch -m AVC
----
time->Mon Dec  1 12:58:15 2025
type=PROCTITLE msg=audit(1764593895.755:3678): proctitle=657468746F6F6C002D5300656E733366306E7030
type=PATH msg=audit(1764593895.755:3678): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=4061 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1764593895.755:3678): cwd="/var/log/pcp/pmcd"
type=EXECVE msg=audit(1764593895.755:3678): argc=3 a0="ethtool" a1="-S" a2="ens3f0np0"
type=SYSCALL msg=audit(1764593895.755:3678): arch=c000003e syscall=59 success=yes exit=0 a0=7f9caf5bd470 a1=7f9caf5bd550 a2=7ffd6242b100 a3=8 items=1 ppid=128805 pid=128847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=AVC msg=audit(1764593895.755:3678): avc:  denied  \{ execute_no_trans } for  pid=128847 comm="python3" path="/usr/sbin/ethtool" dev="dm-0" ino=67261675 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1764593895.755:3678): avc:  denied  \{ execute } for  pid=128847 comm="python3" name="ethtool" dev="dm-0" ino=67261675 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

              pcp-maint pcp-maint
              jkurik@redhat.com Jan Kurik
              pcp-maint pcp-maint
              Jan Kurik Jan Kurik
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: