Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-78196

selinux issues during pcp upgrades and downgrades

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-10.0
    • pcp
    • None
    • Yes
    • Low
    • rhel-sst-pt-pcp
    • ssg_platform_tools
    • 26
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      During testing of upgrade and downgrade scenarios of PCP, some AVC reports were observed.

      What is the impact of this issue to you?

      AVC reported.
      As this issue is reproducible on RHEL-10.0 only (due to rework of selinux-policy ) and affects only upgrade and downgrade scenarios, it might be IMO considered as marginal severity because RHEL-10.0 should not use package upgrades.

      Please provide the package NVR for which the bug is seen:

      pcp-6.3.2-5.el10

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1.  Install i.e. pcp-zeroconf package using an older PCP build (and older selinux-policy ) on RHEL-10
      2.  Upgrade PCP to pcp-6.3.2-5.el10

      Expected results

      The upgrade of PCP pass without any AVC

      Actual results

      The following AVCs are generated during the upgrade:

      ----
type=PROCTITLE msg=audit(01/31/2025 14:52:08.893:54159) : proctitle=/usr/bin/sh /usr/libexec/pcp/bin/pmlogger_check --quick -V --only-primary 
type=EXECVE msg=audit(01/31/2025 14:52:08.893:54159) : argc=5 a0=/usr/bin/sh a1=/usr/libexec/pcp/bin/pmlogger_check a2=--quick a3=-V a4=--only-primary 
type=SYSCALL msg=audit(01/31/2025 14:52:08.893:54159) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55612e8d1d20 a1=0x55612e8d48a0 a2=0x55612e8daad0 a3=0x55612e84f010 items=0 ppid=588689 pid=588842 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pmlogger_check exe=/usr/bin/bash subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null) 
type=AVC msg=audit(01/31/2025 14:52:08.893:54159) : avc:  denied  { write } for  pid=588842 comm=pmlogger_check path=/var/tmp/pmlogger_rc_start.wTunpcrCo/pmcheck dev="xvda3" ino=8514980 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=0 
type=AVC msg=audit(01/31/2025 14:52:08.893:54159) : avc:  denied  { write } for  pid=588842 comm=pmlogger_check path=/var/tmp/pmlogger_rc_start.wTunpcrCo/pmcheck.out dev="xvda3" ino=8514979 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=0

      Which translates to the following rule:

      allow pcp_pmlogger_t init_tmp_t:file write;

      Notes

      This issue is bound to recent upgrade of selinux-policy package. The generation of AVC records is a race-condition happening during upgrade of pcp-selinux and selinux-policy packages, where one is applied earlier than the other one, while in the meantime pmlogger_check is triggered.

      As mentioned above this IMO should not affect customers, so I am fine if this is closed and kept here just for the record.

              pcp-maint pcp-maint
              jkurik@redhat.com Jan Kurik
              pcp-maint pcp-maint
              Jan Kurik Jan Kurik
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: