CentOS 7 Pcp-pmda-nvidia-gpu SELinux Problems
Hi all,
I installed Performance Co-Pilot 3 days ago, and installed the nVidia PMDA according to the instructions at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/ch03s03s02.html and was able to view metrics about my video card using pmchart. I then played around a little with the lmsensors PMDA (but it doesn’t look too useful to me – it doesn’t support my sensors, and I think it’s for a 2.x kernel).
After not looking at PCP at all for a few days, today I tried using pmchart to look at the nVidia metrics again but they were unavailable, and after checking /var/log/messages I found SELinux complaints. After a few iterations of the suggested ‘grep pmdanvidia /var/log/audit/audit.log | audit2allow -M […]’, ‘semodule -i […].pp’, restarting the PCP service, getting new SELinux errors, going back to step 1, I ended up with this content in the .te file:
“””
module doshea-selinux-pcp-pmda-nvidia-gpu 1.0;
require {
type xserver_misc_device_t;
type pcp_pmcd_t;
class capability sys_admin;
class chr_file { read write ioctl open };
}
#============= pcp_pmcd_t =============allow pcp_pmcd_t self:capability sys_admin;
#!!!! This avc is allowed in the current policy allow pcp_pmcd_t xserver_misc_device_t:chr_file { read write ioctl open };
“””
I don’t get why this worked 3 days ago and not today. I haven’t installed many packages in the meantime.
Should I file a bug somewhere about this?
I don’t know much about SELinux – I have a slight ability to edit those .te files and I think I remember what to do with them afterwards – but it seems like the sys_admin capability is pretty significant to be granting. Is there any way to work out why that’s needed?
Thanks in advance, David
One thought on - CentOS 7 Pcp-pmda-nvidia-gpu SELinux Problems
I think I worked out one part: the SELinux issues probably didn’t pop up initially because the nVidia PMDA was probably started within the context of me running ‘sudo ./Install’, whereas after a reboot it was started within the context of systemd starting up pmcd. I just hit a similar issue with a PMDA that I wrote myself, where it worked fine after I ran the Install script but hit SELinux problems after ‘sudo systemctl restart pmcd’.
Regards, David
From: dcoshea@hotmail.com To: CentOS@CentOS.org Subject: CentOS 7 pcp-pmda-nvidia-gpu SELinux problems Date: Wed, 23 Dec 2015 22:47:01 +1000
Hi all,
I installed Performance Co-Pilot 3 days ago, and installed the nVidia PMDA according to the instructions at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/ch03s03s02.html and was able to view metrics about my video card using pmchart. I then played around a little with the lmsensors PMDA (but it doesn’t look too useful to me – it doesn’t support my sensors, and I think it’s for a 2.x kernel).
After not looking at PCP at all for a few days, today I tried using pmchart to look at the nVidia metrics again but they were unavailable, and after checking /var/log/messages I found SELinux complaints. After a few iterations of the suggested ‘grep pmdanvidia /var/log/audit/audit.log | audit2allow -M […]’, ‘semodule -i […].pp’, restarting the PCP service, getting new SELinux errors, going back to step 1, I ended up with this content in the .te file:
“””
module doshea-selinux-pcp-pmda-nvidia-gpu 1.0;
require {
type xserver_misc_device_t;
type pcp_pmcd_t;
class capability sys_admin;
class chr_file { read write ioctl open };
}
#============= pcp_pmcd_t =============allow pcp_pmcd_t self:capability sys_admin;
#!!!! This avc is allowed in the current policy allow pcp_pmcd_t xserver_misc_device_t:chr_file { read write ioctl open };
“””
I don’t get why this worked 3 days ago and not today. I haven’t installed many packages in the meantime.
Should I file a bug somewhere about this?
I don’t know much about SELinux – I have a slight ability to edit those .te files and I think I remember what to do with them afterwards – but it seems like the sys_admin capability is pretty significant to be granting. Is there any way to work out why that’s needed?
Thanks in advance, David