-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.7
-
None
-
pcp-6.3.7-1.el9_6
-
No
-
Low
-
Customer Reported
-
1
-
rhel-pt-pcp
-
ssg_platform_tools
-
1
-
QE ack, Dev ack
-
False
-
False
-
-
No
-
Red Hat Enterprise Linux
-
PT PCP 2025 S04
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
A customer reported that since updating to RHEL8.10, he sees AVCs when pmlogger_check internally executes pstree command:
type=PROCTITLE msg=audit(05/31/2024 14:47:28.987:288) : proctitle=pstree -spa 96043 type=SYSCALL msg=audit(05/31/2024 14:47:28.987:288) : arch=x86_64 syscall=read success=no exit=EACCES(Permission denied) a0=0x5 a1=0x55f456388750 a2=0xfff a3=0x0 items=0 ppid=1 pid=96043 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null) type=AVC msg=audit(05/31/2024 14:47:28.987:288) : avc: denied { getattr } for pid=96043 comm=pstree scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0
The AVC occurs because pstree internally tries to get the context of the target PIDs, but there is no rule for that:
913 static void read_proc(void) 914 { : 957 #ifdef WITH_SELINUX 958 if (selinux_enabled) 959 if (getpidcon(pid, &scontext) < 0) { 960 perror(path); 961 exit(1); <<<<<<<< HERE 962 } 963 #endif /*WITH_SELINUX */ :
Here above, this prevents pstree from functioning entirely, since pstree will quit with a fatal error.
The solution is to allow pcp_pmlogger_t to query all domains:
echo '(allow pcp_pmlogger_t domain (process (getattr)))' > pcp_pmlogger_pstree.cil
Please provide the package NVR for which bug is seen:
pcp-selinux-5.3.7-20.el8_10
How reproducible:
Always
Steps to reproduce
- Execute pmlogger_check service on a SELinux enabled system with VERY_VERBOSE
# echo PMLOGGER_CHECK_PARAMS="-VV -C" >> /etc/sysconfig/pmlogger_timers # systemctl start pmlogger_check.service
Expected results
No AVC and pstree executes properly.
Actual results
AVC, stracing while in Permissive shows querying all processes (starting with PID 1) fails:
1148906 [init_t] 09:48:03.765563 execve("/usr/libexec/pcp/bin/pmlogger_check" [pcp_pmlogger_exec_t], ["/usr/libexec/pcp/bin/pmlogger_check", "-VV", "-C"], ["LANG=en_US.UTF-8", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin", "HOME=/var/lib/pcp", "LOGNAME=pcp", "USER=pcp", "INVOCATION_ID=a0a2c1cbc5fd48a78d9ffbe9ebb3825c", "JOURNAL_STREAM=9:5833548", "PMLOGGER_CHECK_PARAMS=-VV -C", "PMLOGGER_DAILY_PARAMS=-VV -X xz -k 14"] <unfinished ...> : 1148906 [pcp_pmlogger_t] 09:48:04.423176 <... clone resumed>, child_tidptr=0x7f6c483c4a10) = 1148939 <0.000232> : 1148939 [pcp_pmlogger_t] 09:48:04.426075 execve("/usr/bin/pstree" [bin_t], ["pstree", "-spa", "1148906"], [...]) = 0 <0.000162> : 1148939 [pcp_pmlogger_t] 09:48:04.447297 openat(AT_FDCWD</var/lib/pcp>, "/proc/1/attr/current" [init_t], O_RDONLY|O_CLOEXEC) = 5</proc/1/attr/current> [init_t] <0.000030> 1148939 [pcp_pmlogger_t] 09:48:04.447418 read(5</proc/1/attr/current> [init_t], 0x560a142c4750, 4095) = -1 EACCES (Permission denied) <0.000238>
- is related to
-
-
- Closed
-
- links to
-
RHBA-2025:147178
pcp bug fix and enhancement update
