Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-73297

selinux AVCs for pmie and pmlogger trying to access /dev/dm-*

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0
    • pcp
    • None
    • pcp-6.3.2-3.el10
    • Yes
    • Low
    • 1
    • rhel-sst-pt-pcp
    • ssg_platform_tools
    • 22
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • PT PCP 2025 S01
    • Unspecified Release Note Type - Unknown
    • All
    • None

      With RHEL 9.6, running the metrics system role (which uses ansible-pcp which manages pcp components), I am running tests in beaker like this:

      wow rhel-9.6 --ignore-panic --arch x86_64 --taskparam=VERSIONLOCK=true --ks-meta redhat_ca_cert --brew-task 65971884 \
  '--taskparam=ANSIBLE_VER='\''2'\''' '--taskparam=SYSTEM_ROLES_ONLY_TESTS='\''metrics/tests_bz1855539.yml metrics/tests_bz1855544.yml'\''' \
  --taskparam=GIT_SSL_NO_VERIFY=true --task '! echo '\''10.2.129.217 pkgs.devel.redhat.com'\'' >> /etc/hosts' \
  --brew-method=multi \
  --task https://pkgs.devel.redhat.com/git/tests/rhel-system-roles/snapshot/rhel-system-roles-master.tar.gz#Sanity/basic-smoke-test \
  --reservesys \
  --whiteboard 'System Roles testing rhel-9.6 arch x86_64 build task 65971884 ansible 2 include tests metrics/tests_bz1855539.yml metrics/tests_bz1855544.yml legacy role'

      which cause the following selinux AVCs

      type=AVC msg=audit(1732305251.210:543): avc:  denied  { getattr } for  pid=61907 comm="mount" path="/dev/dm-0" dev="devtmpfs" ino=289 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
type=AVC msg=audit(1732305306.102:672): avc:  denied  { getattr } for  pid=76568 comm="mount" path="/dev/dm-0" dev="devtmpfs" ino=289 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0

      I don't see that the base RHEL selinux policy has changed between 9.5 and 9.6 with respect to this:

      >grep fixed_disk_device_t policy.95|grep pcp
allow pcp_pmcd_t fixed_disk_device_t : lnk_file { read getattr };
allow pcp_pmcd_t fixed_disk_device_t : blk_file { ioctl read lock open };
allow pcp_pmcd_t fixed_disk_device_t : chr_file { ioctl read lock open };

>grep fixed_disk_device_t policy.96|grep pcp
allow pcp_pmcd_t fixed_disk_device_t : lnk_file { read getattr };
allow pcp_pmcd_t fixed_disk_device_t : chr_file { ioctl read lock open };
allow pcp_pmcd_t fixed_disk_device_t : blk_file { ioctl read lock open };

      The only difference I see is that 9.5 has pcp-6.2.2-6.el9.x86_64 and 9.6 has pcp-6.3.2-2.el9.x86_64

      It is my conclusion that something has changed in pcp between 6.2.2 and 6.3.2 that is causing this AVC. Is it possible that the change to 6.3.2 requires some selinux policy to be added to RHEL 9.6 to allow pmie and pmlogger to access /dev/dm-* - which is

      allow pcp_pmie_t fixed_disk_device_t:blk_file getattr;  # NOTE - might require more than getattr - it is possible that because the getattr fails, the rest of the access is not attempted
allow pcp_pmlogger_t fixed_disk_device_t:blk_file getattr;  # NOTE - might require more than getattr - it is possible that because the getattr fails, the rest of the access is not attempted

      NOTE: I cannot reproduce with 1minutetip or local VMs, only beaker - I think it is because beaker sets up lvm on the machines which cause /dev/dm-* to exist.

              rh-ee-sfeifer Sam Feifer
              rmeggins@redhat.com Richard Megginson
              pcp-maint pcp-maint
              Jan Kurik Jan Kurik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: