Chapter 52. Compiler and Tools

Oprofile utilities cannot collect performance data in kernel code by default

Kernel in Red Hat Enterprise Linux 7.3 changes the default value of /proc/sys/kernel/perf_event_paranoid from 1 to 2. As a consequence, collection of performance event data of code in the kernel requires root privileges. When running the occount or operf utility as a normal user, the default performance event attempts to collect data for both kernel and user code and the setup of the performance event fails because of the default perf_event_paranoid setting.
To work around this problem, change the value in /proc/sys/kernel/perf_event_paranoid to 1. If unable to do that, instead determine the default event used on the machine by running the ophelp -d command, and then explicitly change the end of the event from :1:1 to :0:1 to disable data collection in the kernel space, for example:
$ operf -e CPU_CLK_UNHALTED:100000:0:0:1 true
As a result, changing /proc/sys/kernel/perf_event_paranoid or explicitly disabling monitoring of kernel events for normal users allows collection of data, thus avoiding this issue. (BZ#1349077)

The pesign key database requires manually changing permissions to enable improved access permission controls

The pesign key database, which is used to sign UEFI binaries, now offers a more generalized method of setting database access permissions. You can now configure permissions using system-wide key databases, and means that any user or group can now be granted access.
However, a known issue in permission settings in pesign currently prevents the aforementioned new feature from working. To enable the improved access control, you must change the permissions to pesign manually:
chmod 0660 /etc/pki/pesign/*
chmod 0770 /etc/pki/pesign
After setting these permissions, the improved access control will become available. If you do not perform these steps, pesign behavior will be identical to previous releases. (BZ#1141263)