[RHEL-83954] selinux AVC when using pcp-pmda-lio - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-9.6.z
Affects Version/s: rhel-9.6.z
Component/s: pcp
Labels:
None

Fixed in Build:
pcp-6.3.7-1.el9_6
Regression:
No
Severity:
Low
sprint_count:
1

Pool Team:

rhel-sst-pt-pcp
Sub-System Group:

ssg_platform_tools

Story Points:
1
ACKs Check:

Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
PT PCP 2025 S04

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/147178
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When pcp-pmda-lio is registerd and used, it triggers some selinux AVCs

What is the impact of this issue to you?

lio metrics not providing proper values and the pmda generates AVCs

Please provide the package NVR for which the bug is seen:

pcp-6.3.4-1.el9_6 (but this issue has been see even on older builds)

How reproducible is this bug?:

Always

Steps to reproduce

Install pcp-pmda-lio
```
yum install -y pcp-pmda-lio
```

Fetch lio metrics
```
pminfo -f lio
```

Expected results

No AVC recorded

Actual results

The following AVC are recorded

type=AVC msg=audit(03/17/25 09:44:43.261:13256) : avc:  denied  { module_load } for  pid=243375 comm=python3 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=system permissive=1
type=AVC msg=audit(03/17/25 09:44:43.261:13257) : avc:  denied  { write } for  pid=243375 comm=python3 name=dbroot dev="configfs" ino=485726 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(03/17/25 09:44:43.261:13257) : avc:  denied  { create } for  pid=243375 comm=python3 name=dbroot scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(03/17/25 09:44:43.261:13257) : avc:  denied  { add_name } for  pid=243375 comm=python3 name=dbroot scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1

# audit2allow -a

#============= pcp_pmcd_t ==============
allow pcp_pmcd_t configfs_t:dir add_name;
allow pcp_pmcd_t configfs_t:file { create write };
allow pcp_pmcd_t self:system module_load;

links to

RHBA-2025:147178 pcp bug fix and enhancement update

Assignee:: Nathan Scott

Reporter:: Jan Kurik

Developer:: pcp-maint

QA Contact:: Jan Kurik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/03/18 12:23 PM

Updated:: 2025/04/01 7:04 PM

Next Planned Release Date:: 2025/05/13

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates