Leap 16 beta: Cockpit PCP pmlogger.service startup fails due to SELinux

Labyrinth · May 21, 2025, 9:20am

Hi,

On Leap 16 beta (up to date), I installed Cockpit.

At the bottom of its /metrics section, Cockpit suggested installing PCP.

The suggestion can be seen in https://cockpit-project.org/images/metrics-page-no-pcp.png (The image is embedded in this article: Setting up PCP and Grafana metrics with Cockpit — Cockpit Project)

Clicking the button did install dependencies successfully. However, pmlogger.service cannot be started:

systemd[1]: Starting Performance Metrics Archive Logger...
rc[76844]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.4U3mQWSBt/tmp: Permission denied

SELinux makes a suggestion. I am wary to simply following these, as I assume a policy should be in place:

SELinux is preventing rc from add_name access on the directory tmp. For complete SELinux messages run: sealert -l 3f6b978a-bbb1-48c8-95a6-6e1673e6b5f9
SELinux is preventing rc from add_name access on the directory tmp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rc should be allowed add_name access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rc' --raw | audit2allow -M my-rc
# semodule -X 300 -i my-rc.pp

I attempted reinstalling cockpit-selinux-policies as suggested in Leap 16 Beta - Cockpit Login fails "Permission denied" - #19 by McAsim, but it did not improve the situation.

It looks like a policy should be available: pcp_pmlogger_selinux(8) — selinux-policy-devel

However, I know very little about SELinux yet, and I cannot interpret this page. I do not know if the policy is correct (and should handle the issue at hand) or if it is installed on my Leap 16 beta.

What should I do? Is this a bug? How can I work around the issue? Should I run the SELinux suggestion? Am I just overlooking a package? Should I install selinux-policy-devel, despite it being a development package? (I have selinux-policy, cockpit-selinux and cockpit-selinux-policies installed.)

Labyrinth · May 21, 2025, 9:22am

Found a probable solution in bugzilla:

https://bugzilla.opensuse.org/show_bug.cgi?id=1241611

arvidjaar · May 21, 2025, 9:22am

Where did you install it from?

Labyrinth · May 21, 2025, 9:23am

I clicked the button in cockpit, which, I assume, installs from tumbleweed sources?

Edit: The button is seen at the bottom center in this screenshot: https://cockpit-project.org/images/metrics-page-no-pcp.png

Cockpit itself was installed via agama.

Edit: zypper se pcp shows pcp as installed.

Labyrinth · May 21, 2025, 9:24am

The bug is mentioned in Request 1275299: Submit selinux-policy - openSUSE Build Service some days ago and should be solved, but my system is up to date and the issue still occurs as described on bugzilla. (I have not tried the suggested workaround yet.)

Labyrinth · May 21, 2025, 9:37am

It appears that the bug linked above led to an updated version of selinux-policy, but the version is not available in Leap 16.

Leap offers version 20241031:

 zypper se -si selinux-policy
Loading repository data...
Reading installed packages...

S  | Name                    | Type    | Version                              | Arch   | Repository
---+-------------------------+---------+--------------------------------------+--------+---------------------------------------------------------------------
i  | selinux-policy          | package | 20241031+git516.1a75276b-160000.1.15 | noarch | https://download.opensuse.org/distribution/leap/16.0/repo/oss/x86_64
i  | selinux-policy          | package | 20241031+git516.1a75276b-160000.1.15 | noarch | repo-oss (16.0)
i  | selinux-policy-targeted | package | 20241031+git516.1a75276b-160000.1.15 | noarch | https://download.opensuse.org/distribution/leap/16.0/repo/oss/x86_64
i  | selinux-policy-targeted | package | 20241031+git516.1a75276b-160000.1.15 | noarch | repo-oss (16.0)

    Note: For an extended search including not yet activated remote resources please use 'zypper
    search-packages'.

The fix appears to be applied in version 20250507:

Will this version be published to the Leap 16 repository?

The SELinux relabeling fix for the rc script suggested in 1241611 – [SELinux] pmlogger fails to start works:

# chcon -t pcp_pmlogger_initrc_exec_t /etc/pcp/pmlogger/rc
# systemctl restart pmlogger
# systemctl status pmlogger 
● pmlogger.service - Performance Metrics Archive Logger
     Loaded: loaded (/usr/lib/systemd/system/pmlogger.service; disabled; preset: disabled)
     Active: active (running) since Wed 2025-05-21 11:37:53 CEST; 1s ago
 Invocation: 298c685d755e491ead83df781a166ba1
       Docs: man:pmlogger(1)
   Main PID: 78249 (pmlogger)
      Tasks: 1 (limit: 4668)
        CPU: 998ms
     CGroup: /system.slice/pmlogger.service
             └─78249 /usr/libexec/pcp/bin/pmlogger -N -P -d "\"/var/log/pcp/pmlogger/LOCALHOSTNAME\"" -r -T24h10m -c config.default -v 10>

May 21 11:37:53 host systemd[1]: Starting Performance Metrics Archive Logger...
May 21 11:37:53 host rc[78029]: /etc/pcp/pmlogger/rc: Warning: Performance Co-Pilot archive logger(s) not perm>
May 21 11:37:53 host rc[78029]:     To enable pmlogger, run the following as root:
May 21 11:37:53 host rc[78029]:     # /usr/bin/systemctl enable pmlogger.service
May 21 11:37:53 host systemd[1]: Started Performance Metrics Archive Logger.

arvidjaar · May 21, 2025, 10:37am

Open bug report for Leap 16, refer to the original bug report for Tumbleweed.

Labyrinth · May 21, 2025, 11:20am

Reported as 1243420 – [SELinux] pmlogger fails to start.

system · May 28, 2025, 11:20am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.