Hi all,
I installed Performance Co-Pilot 3 days ago, and installed the nVidia PMDA
according to the instructions at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/ch03s03s02.html
and was able to view metrics about my video card using pmchart. I then played
around a little with the lmsensors PMDA (but it doesn't look too useful to me -
it doesn't support my sensors, and I think it's for a 2.x kernel).
After not looking at PCP at all for a few days, today I tried using pmchart to
look at the nVidia metrics again but they were unavailable, and after checking
/var/log/messages I found SELinux complaints. After a few iterations of the
suggested 'grep pmdanvidia /var/log/audit/audit.log | audit2allow -M [...]',
'semodule -i [...].pp', restarting the PCP service, getting new SELinux errors,
going back to step 1, I ended up with this content in the .te file:
"""
module doshea-selinux-pcp-pmda-nvidia-gpu 1.0;
require {
type xserver_misc_device_t;
type pcp_pmcd_t;
class capability sys_admin;
class chr_file { read write ioctl open };
}
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t self:capability sys_admin;
#!!!! This avc is allowed in the current policy
allow pcp_pmcd_t xserver_misc_device_t:chr_file { read write ioctl open };
"""
I don't get why this worked 3 days ago and not today. I haven't installed many
packages in the meantime.
Should I file a bug somewhere about this?
I don't know much about SELinux - I have a slight ability to edit those .te
files and I think I remember what to do with them afterwards - but it seems
like the sys_admin capability is pretty significant to be granting. Is there
any way to work out why that's needed?
Thanks in advance,
David
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
