pdestefa
April 13, 2025, 10:23pm
1
I just did a weekly update on F41, and now I’m getting this AVC multiple times every minute.
glb
April 14, 2025, 1:16am
2
You might trying sudo restorecon -rv /var/lib/pcp.
If that doesn’t work you could try reinstalling pcp (Performance Co-Pilot) with sudo dnf reinstall pcp.
The final option would be to disable or uninstall Performance Co-Pilot.
If neither the first or second option works, you should report the bug.
This seemed like a good suggestion to me, but it didn’t seem to stop the AVCs.
I think the ‘pressure’ directory to which the msg refers is /proc/pressure.
I’ll put in a bug report. Thanks for your advice.
It’s been fixed upstream:
committed 01:58AM - 14 Apr 25 UTC
Access to /proc/pressure recently became selinux policy
protected so we need to … allow pcp_pmcd_t to access that
as it contains important system level metrics.
Resolves Red Hat bugzilla #2358326.
If you want to fix it locally, as I did after the 1,400+ notification, configure and build but not install from source. Then go into src/selinux and pickup from the directions here:
rule. You can temporary disable dontaudit rules using:
# semodule -DB
There's also other than AVC audit events related to SELinux - USER_AVC
and SELINUX_ERR that could be checked in case of unexplained issues:
# ausearch -m avc,user_avc,selinux_err -i -ts recent
== Building ==
In the src/selinux directory
$ make clean
$ make
== Installing ==
$ sudo semodule -X 200 -r pcp
You’ll have to use the second command:
$ make
== Installing ==
$ sudo semodule -X 200 -r pcp
expect this to fail if a revised pcp.pp module has not previously
been installed, in which case you'll need
$ sudo semodule -X 200 -i pcp.pp
or if semodule is too old to understand -X 200
$ sudo semodule -i pcp.pp
verify installation with:
$ sudo semodule --list=full | grep pcp
or if semodule is too old to understand --list=full
sudo semodule -X 200 -i pcp.pp
1 Like