SELinux Notification concerning 'ps' and 'perfmon' every few hours

Ask Fedora
1

Hey there, I have a question.

For the past few days, I’ve been receiving SELinux denials every few hours popping up. I’m not exactly sure what it means – I’ve tried to google, but searching for ‘perfmon’ mostly only brings up Windows related results.

Regardless, here’s the audit message:

SELinux is preventing ps from using the perfmon capability.

Plugin: catchall 
  SELinux denied access requested by ps. It is not expected that this access is
required by ps and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

If you believe that ps should have the perfmon capability by default.
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 'ps' --raw | audit2allow -M my-ps
# semodule -X 300 -i my-ps.pp

Checking my journalctl, the denials happen several times in rapid succession (all within the same second), before they stop. After a while, sometimes hours, sometimes minutes, it starts up again, flooding the log.

2

As you can see, it’s a lot.

image
image990×147 10.7 KB

3

Happened again, here’s more details on an individual log entry:

SELinux is preventing ps from using the perfmon capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ps should have the perfmon capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ps' --raw | audit2allow -M my-ps
# semodule -X 300 -i my-ps.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmlogger_t:s0
Target Context                system_u:system_r:pcp_pmlogger_t:s0
Target Objects                Unknown [ capability2 ]
Source                        ps
Source Path                   ps
Port                          <Unknown>
Host                          peridot
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.44-1.fc42.noarch
Local Policy RPM              pcp-selinux-6.3.7-5.fc42.x86_64
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     peridot
Platform                      Linux peridot 6.15.4-200.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Jun 27 15:32:46 UTC 2025
                              x86_64
Alert Count                   12814
First Seen                    2025-06-26 22:33:31 PDT
Last Seen                     2025-07-02 11:25:30 PDT
Local ID                      c63e6c64-2364-4abe-aa2d-fb947c3e53f8

Raw Audit Messages
type=AVC msg=audit(1751480730.273:2713): avc:  denied  { perfmon } for  pid=462555 comm="ps" capability=38  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability2 permissive=0


Hash: ps,pcp_pmlogger_t,pcp_pmlogger_t,capability2,perfmon
4

Apparently, it’s a known issue

4 Likes