|
|
1304d5 |
diff -Naurp pcp-4.1.0-orig/qa/1141 pcp-4.1.0/qa/1141
|
|
|
1304d5 |
--- pcp-4.1.0-orig/qa/1141 2017-12-18 09:31:30.000000000 +1100
|
|
|
1304d5 |
+++ pcp-4.1.0/qa/1141 2018-09-05 08:46:05.578019776 +1000
|
|
|
1304d5 |
@@ -17,6 +17,8 @@ policy_name="pcpqaqaqaqa"
|
|
|
1304d5 |
policy_file="$PCP_VAR_DIR/selinux/pcpupstream.pp"
|
|
|
1304d5 |
which sedismod >/dev/null 2>&1 || _notrun "sedismod tool not installed (module disassembly)"
|
|
|
1304d5 |
which semodule >/dev/null 2>&1 || _notrun "semodule tool not installed"
|
|
|
1304d5 |
+$sudo semodule -l >/dev/null 2>&1
|
|
|
1304d5 |
+[ $? -eq 0 ] || _notrun "semodule -l fails"
|
|
|
1304d5 |
which seinfo >/dev/null 2>&1 || _notrun "seinfo tool not installed"
|
|
|
1304d5 |
[ -f "$policy_file" ] || _notrun "upstream policy package not installed"
|
|
|
1304d5 |
#if a matching module is already installed
|
|
|
1304d5 |
diff -Naurp pcp-4.1.0-orig/qa/917.out.in pcp-4.1.0/qa/917.out.in
|
|
|
1304d5 |
--- pcp-4.1.0-orig/qa/917.out.in 2018-05-09 07:50:53.000000000 +1000
|
|
|
1304d5 |
+++ pcp-4.1.0/qa/917.out.in 2018-09-05 08:46:47.973426601 +1000
|
|
|
1304d5 |
@@ -16,11 +16,11 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmcd_t] [sysctl_net_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [sysctl_net_t] : [file] { getattr open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans open read };
|
|
|
1304d5 |
- allow [pcp_pmcd_t] [debugfs_t] : [dir] { read };
|
|
|
1304d5 |
- allow [pcp_pmcd_t] [debugfs_t] : [file] { getattr ioctl open read };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [debugfs_t] : [dir] { read search };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
|
|
|
1304d5 |
- allow [pcp_pmcd_t] self : [capability] { kill sys_ptrace net_admin chown ipc_owner sys_resource };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] self : [capability] { kill sys_ptrace net_admin chown ipc_lock ipc_owner sys_resource };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [initctl_t] : [fifo_file] { getattr };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr };
|
|
|
1304d5 |
allow [pcp_pmcd_t] self : [cap_userns] { sys_ptrace };
|
|
|
1304d5 |
@@ -36,8 +36,8 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
|
|
|
1304d5 |
- allow [pcp_pmcd_t] [tracefs_t] : [file] { append open read };
|
|
|
1304d5 |
- allow [pcp_pmcd_t] [gconf_home_t] : [dir] { search };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [gconf_home_t] : [dir] { open read search getattr };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [virt_etc_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [virt_etc_t] : [file] { open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [virtd_t] : [unix_stream_socket] { connectto };
|
|
|
1304d5 |
@@ -55,6 +55,7 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmcd_t] [httpd_t] : [shm] { unix_read associate getattr };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [httpd_t] : [sem] { unix_read associate getattr };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [sysfs_t] : [dir] { write };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [modules_object_t] : [lnk_file] { read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [hugetlbfs_t] : [dir] { open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [mdadm_exec_t] : [file] { execute execute_no_trans open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [proc_mdstat_t] : [file] { getattr open read };
|
|
|
1304d5 |
@@ -65,6 +66,12 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmcd_t] [glusterd_t] : [unix_stream_socket] { connectto };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [glusterd_var_lib_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [mozilla_plugin_t] : [sem] { unix_read };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] self : [process] { execmem setrlimit };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [system_map_t] : [file] { ioctl open read };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [sysctl_irq_t] : [dir] { search };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [init_t] : [shm] { unix_read };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [gpsd_t] : [shm] { associate getattr };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [default_t] : [file] { getattr };
|
|
|
1304d5 |
allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write };
|
|
|
1304d5 |
allow [pcp_pmlogger_t] self : [capability] { kill };
|
|
|
1304d5 |
allow [pcp_pmlogger_t] [init_t] : [system] { status };
|
|
|
1304d5 |
@@ -74,10 +81,12 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmlogger_t] [unconfined_t] : [process] { signal };
|
|
|
1304d5 |
allow [pcp_pmlogger_t] [pcp_pmlogger_exec_t] : [file] { execute_no_trans };
|
|
|
1304d5 |
allow [pcp_pmlogger_t] [dey_sapi_port_t] : [tcp_socket] { name_connect };
|
|
|
1304d5 |
+ allow [pcp_pmlogger_t] [unconfined_t] : [unix_stream_socket] { connectto };
|
|
|
1304d5 |
allow [pcp_pmlogger_t] [user_home_dir_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmlogger_t] [kernel_t] : [unix_dgram_socket] { sendto };
|
|
|
1304d5 |
+ allow [pcp_pmlogger_t] [home_bin_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map };
|
|
|
1304d5 |
- allow [pcp_pmie_t] self : [capability] { kill sys_ptrace net_admin chown };
|
|
|
1304d5 |
+ allow [pcp_pmie_t] self : [capability] { kill dac_override sys_ptrace net_admin chown fowner };
|
|
|
1304d5 |
allow [pcp_pmie_t] [init_t] : [unix_stream_socket] { connectto };
|
|
|
1304d5 |
allow [pcp_pmie_t] [initrc_var_run_t] : [file] { lock open read };
|
|
|
1304d5 |
allow [pcp_pmie_t] [init_t] : [system] { status };
|
|
|
1304d5 |
@@ -89,6 +98,7 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmie_t] [kmsg_device_t] : [chr_file] { open };
|
|
|
1304d5 |
allow [pcp_pmie_t] [pcp_pmcd_t] : [process] { signal };
|
|
|
1304d5 |
allow [pcp_pmie_t] [init_exec_t] : [file] { getattr };
|
|
|
1304d5 |
+ allow [pcp_pmie_t] [user_home_dir_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr };
|
|
|
1304d5 |
@@ -98,7 +108,7 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmcd_t] [modules_object_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [modules_object_t] : [file] { getattr open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [saslauthd_t] : [unix_stream_socket] { connectto };
|
|
|
1304d5 |
- allow [pcp_pmproxy_t] self : [capability] { net_admin };
|
|
|
1304d5 |
+ allow [pcp_pmproxy_t] self : [capability] { dac_override net_admin };
|
|
|
1304d5 |
allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read };
|
|
|
1304d5 |
allow [pcp_pmproxy_t] [sysctl_net_t] : [dir] { search };
|
|
|
1304d5 |
allow [pcp_pmproxy_t] [proc_net_t] : [file] { read };
|
|
|
1304d5 |
@@ -109,4 +119,5 @@ decl 1:
|
|
|
1304d5 |
allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read };
|
|
|
1304d5 |
allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { map };
|
|
|
1304d5 |
allow [pcp_pmcd_t] self : [capability] { sys_rawio };
|
|
|
1304d5 |
+ allow [pcp_pmcd_t] [redis_port_t] : [tcp_socket] { name_connect };
|
|
|
1304d5 |
|
|
|
1304d5 |
diff -Naurp pcp-4.1.0-orig/src/pmlogger/pmlogger_check.sh pcp-4.1.0/src/pmlogger/pmlogger_check.sh
|
|
|
1304d5 |
--- pcp-4.1.0-orig/src/pmlogger/pmlogger_check.sh 2018-06-12 20:18:14.000000000 +1000
|
|
|
1304d5 |
+++ pcp-4.1.0/src/pmlogger/pmlogger_check.sh 2018-09-05 08:47:39.165710353 +1000
|
|
|
1304d5 |
@@ -1,6 +1,6 @@
|
|
|
1304d5 |
#! /bin/sh
|
|
|
1304d5 |
#
|
|
|
1304d5 |
-# Copyright (c) 2013-2016 Red Hat.
|
|
|
1304d5 |
+# Copyright (c) 2013-2016,2018 Red Hat.
|
|
|
1304d5 |
# Copyright (c) 1995-2000,2003 Silicon Graphics, Inc. All Rights Reserved.
|
|
|
1304d5 |
#
|
|
|
1304d5 |
# This program is free software; you can redistribute it and/or modify it
|
|
|
1304d5 |
@@ -160,6 +160,13 @@ then
|
|
|
1304d5 |
exit
|
|
|
1304d5 |
fi
|
|
|
1304d5 |
|
|
|
1304d5 |
+_compress_now()
|
|
|
1304d5 |
+{
|
|
|
1304d5 |
+ # If $PCP_COMPRESSAFTER=0 in the control file(s), compress archives now.
|
|
|
1304d5 |
+ # Invoked just before exit when this script has finished successfully.
|
|
|
1304d5 |
+ $PCP_BINADM_DIR/pmlogger_daily -K $daily_args
|
|
|
1304d5 |
+}
|
|
|
1304d5 |
+
|
|
|
1304d5 |
# after argument checking, everything must be logged to ensure no mail is
|
|
|
1304d5 |
# accidentally sent from cron. Close stdout and stderr, then open stdout
|
|
|
1304d5 |
# as our logfile and redirect stderr there too.
|
|
|
1304d5 |
@@ -175,10 +182,13 @@ else
|
|
|
1304d5 |
_save_prev_file "$PROGLOG"
|
|
|
1304d5 |
# After argument checking, everything must be logged to ensure no mail is
|
|
|
1304d5 |
# accidentally sent from cron. Close stdout and stderr, then open stdout
|
|
|
1304d5 |
- # as our logfile and redirect stderr there too.
|
|
|
1304d5 |
+ # as our logfile and redirect stderr there too. Create the log file with
|
|
|
1304d5 |
+ # correct ownership first.
|
|
|
1304d5 |
#
|
|
|
1304d5 |
- # Exception is for -N where we want to see the output
|
|
|
1304d5 |
+ # Exception ($SHOWME, above) is for -N where we want to see the output.
|
|
|
1304d5 |
#
|
|
|
1304d5 |
+ touch "$PROGLOG"
|
|
|
1304d5 |
+ chown $PCP_USER:$PCP_GROUP "$PROGLOG" >/dev/null 2>&1
|
|
|
1304d5 |
exec 1>"$PROGLOG" 2>&1
|
|
|
1304d5 |
fi
|
|
|
1304d5 |
|
|
|
1304d5 |
@@ -219,11 +229,19 @@ fi
|
|
|
1304d5 |
|
|
|
1304d5 |
if [ $STOP_PMLOGGER = true ]
|
|
|
1304d5 |
then
|
|
|
1304d5 |
- # if pmlogger has never been started, there's no work to do to stop it
|
|
|
1304d5 |
- [ ! -d "$PCP_TMP_DIR/pmlogger" ] && exit
|
|
|
1304d5 |
+ # if pmlogger hasn't been started, there's no work to do to stop it
|
|
|
1304d5 |
+ # but we still want to compress existing logs, if any
|
|
|
1304d5 |
+ if [ ! -d "$PCP_TMP_DIR/pmlogger" ]
|
|
|
1304d5 |
+ then
|
|
|
1304d5 |
+ _compress_now
|
|
|
1304d5 |
+ exit
|
|
|
1304d5 |
+ fi
|
|
|
1304d5 |
$QUIETLY || $PCP_BINADM_DIR/pmpost "stop pmlogger from $prog"
|
|
|
1304d5 |
elif [ $START_PMLOGGER = false ]
|
|
|
1304d5 |
then
|
|
|
1304d5 |
+ # if we're not going to start pmlogger, there is no work to do other
|
|
|
1304d5 |
+ # than compress existing logs, if any.
|
|
|
1304d5 |
+ _compress_now
|
|
|
1304d5 |
exit
|
|
|
1304d5 |
fi
|
|
|
1304d5 |
|
|
|
1304d5 |
@@ -964,10 +982,8 @@ then
|
|
|
1304d5 |
fi
|
|
|
1304d5 |
fi
|
|
|
1304d5 |
|
|
|
1304d5 |
-# and if $PCP_COMPRESSAFTER=0 in the control file(s), compress archives now ...
|
|
|
1304d5 |
-#
|
|
|
1304d5 |
-$PCP_BINADM_DIR/pmlogger_daily -K $daily_args
|
|
|
1304d5 |
-
|
|
|
1304d5 |
+# Prior to exiting we compress existing logs, if any. See pmlogger_daily -K
|
|
|
1304d5 |
+_compress_now
|
|
|
1304d5 |
|
|
|
1304d5 |
[ -f $tmp/err ] && status=1
|
|
|
1304d5 |
exit
|
|
|
1304d5 |
diff -Naurp pcp-4.1.0-orig/src/selinux/GNUlocaldefs pcp-4.1.0/src/selinux/GNUlocaldefs
|
|
|
1304d5 |
--- pcp-4.1.0-orig/src/selinux/GNUlocaldefs 2018-05-08 09:38:33.000000000 +1000
|
|
|
1304d5 |
+++ pcp-4.1.0/src/selinux/GNUlocaldefs 2018-09-05 08:45:27.409553808 +1000
|
|
|
1304d5 |
@@ -44,6 +44,7 @@ endif
|
|
|
1304d5 |
ifeq "$(PCP_SELINUX_CAP_USERNS_PTRACE)" "true"
|
|
|
1304d5 |
PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace\; \#pmdaproc"
|
|
|
1304d5 |
PCP_CAPUSERNS_PTRACE_RULE="allow pcp_pmcd_t self:cap_userns sys_ptrace\;"
|
|
|
1304d5 |
+PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace\;"
|
|
|
1304d5 |
endif
|
|
|
1304d5 |
|
|
|
1304d5 |
ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true"
|
|
|
1304d5 |
@@ -56,7 +57,7 @@ ifeq "$(PCP_SELINUX_TRACEFS)" "true"
|
|
|
1304d5 |
PCP_TRACEFS="type tracefs_t\;"
|
|
|
1304d5 |
PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;"
|
|
|
1304d5 |
PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;"
|
|
|
1304d5 |
-PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { read open append }\;"
|
|
|
1304d5 |
+PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write }\;"
|
|
|
1304d5 |
endif
|
|
|
1304d5 |
|
|
|
1304d5 |
ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true"
|
|
|
1304d5 |
diff -Naurp pcp-4.1.0-orig/src/selinux/GNUmakefile pcp-4.1.0/src/selinux/GNUmakefile
|
|
|
1304d5 |
--- pcp-4.1.0-orig/src/selinux/GNUmakefile 2018-06-04 16:09:25.000000000 +1000
|
|
|
1304d5 |
+++ pcp-4.1.0/src/selinux/GNUmakefile 2018-09-05 08:45:27.409553808 +1000
|
|
|
1304d5 |
@@ -51,6 +51,7 @@ $(IAM).te: $(IAM).te.in
|
|
|
1304d5 |
-e 's;@PCP_SYSTEMCTL_EXEC_RULE@;'$(PCP_SYSTEMCTL_EXEC_RULE)';' \
|
|
|
1304d5 |
-e 's;@PCP_CAPUSERNS_PTRACE@;'$(PCP_CAPUSERNS_PTRACE)';' \
|
|
|
1304d5 |
-e 's;@PCP_CAPUSERNS_PTRACE_RULE@;'$(PCP_CAPUSERNS_PTRACE_RULE)';' \
|
|
|
1304d5 |
+ -e 's;@PCP_CAPUSERNS_PTRACE_RULE_PMIE@;'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)';' \
|
|
|
1304d5 |
-e 's;@PCP_UNRESERVED_PORT@;'$(PCP_UNRESERVED_PORT)';' \
|
|
|
1304d5 |
-e 's;@PCP_UNRESERVED_PORT_RULE@;'$(PCP_UNRESERVED_PORT_RULE)';' \
|
|
|
1304d5 |
-e 's;@PCP_UNRESERVED_PORT_RULE_PMMGR@;'$(PCP_UNRESERVED_PORT_RULE_PMMGR)';' \
|
|
|
1304d5 |
diff -Naurp pcp-4.1.0-orig/src/selinux/pcpupstream.te.in pcp-4.1.0/src/selinux/pcpupstream.te.in
|
|
|
1304d5 |
--- pcp-4.1.0-orig/src/selinux/pcpupstream.te.in 2018-05-09 07:50:53.000000000 +1000
|
|
|
1304d5 |
+++ pcp-4.1.0/src/selinux/pcpupstream.te.in 2018-09-05 08:45:27.410553794 +1000
|
|
|
1304d5 |
@@ -29,13 +29,13 @@ require {
|
|
|
1304d5 |
type configfs_t; # pcp-lio
|
|
|
1304d5 |
type modules_conf_t; # pcp-lio
|
|
|
1304d5 |
type saslauthd_t; # pcp-lio
|
|
|
1304d5 |
- type modules_object_t; # pcp-lio
|
|
|
1304d5 |
+ type modules_object_t; # pcp-lio, pcp.bcc
|
|
|
1304d5 |
@PCP_NSFS_T@
|
|
|
1304d5 |
type nfsd_fs_t; #RHBZ1515928
|
|
|
1304d5 |
type pcp_pmie_exec_t; # pmdasummary
|
|
|
1304d5 |
@PCP_SYSTEMCTL_UNIT_FILE_T@
|
|
|
1304d5 |
@PCP_SYSTEMCTL_EXEC_T@
|
|
|
1304d5 |
- type debugfs_t; # pmdalibvirt
|
|
|
1304d5 |
+ type debugfs_t; # pmdalibvirt pmda.gfs2 pmda.bcc
|
|
|
1304d5 |
type unconfined_t; #RHBZ1443632
|
|
|
1304d5 |
type devlog_t; #RHBZ1449671
|
|
|
1304d5 |
@PCP_UNRESERVED_PORT@
|
|
|
1304d5 |
@@ -53,6 +53,7 @@ require {
|
|
|
1304d5 |
@PCP_MOCK_VAR_LIB@
|
|
|
1304d5 |
type ldconfig_exec_t;
|
|
|
1304d5 |
type httpd_t;
|
|
|
1304d5 |
+ type redis_port_t;
|
|
|
1304d5 |
type zabbix_port_t;
|
|
|
1304d5 |
type sysfs_t; #RHBZ1545245
|
|
|
1304d5 |
type hugetlbfs_t;
|
|
|
1304d5 |
@@ -68,12 +69,18 @@ require {
|
|
|
1304d5 |
type kernel_t;
|
|
|
1304d5 |
type mozilla_plugin_t;
|
|
|
1304d5 |
type fsadm_exec_t;
|
|
|
1304d5 |
+ type tracefs_t; # pmda.gfs2
|
|
|
1304d5 |
+ type system_map_t; # pmda.bcc
|
|
|
1304d5 |
+ type sysctl_irq_t; # pmda.bcc
|
|
|
1304d5 |
+ type gpsd_t; #RHBZ1594991
|
|
|
1304d5 |
+ type default_t;
|
|
|
1304d5 |
+ type home_bin_t;
|
|
|
1304d5 |
class sem { unix_read associate getattr };
|
|
|
1304d5 |
class lnk_file { read getattr };
|
|
|
1304d5 |
class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ };
|
|
|
1304d5 |
class dir { add_name open read search write getattr };
|
|
|
1304d5 |
class unix_stream_socket connectto;
|
|
|
1304d5 |
- class capability { kill sys_ptrace net_admin chown sys_chroot ipc_owner sys_resource fowner sys_rawio fsetid };
|
|
|
1304d5 |
+ class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid };
|
|
|
1304d5 |
@PCP_CAPUSERNS_PTRACE@
|
|
|
1304d5 |
class chr_file { open write };
|
|
|
1304d5 |
class fifo_file { getattr read open unlink }; # qa/455
|
|
|
1304d5 |
@@ -117,19 +124,18 @@ allow pcp_pmcd_t svirt_sandbox_file_t:di
|
|
|
1304d5 |
allow pcp_pmcd_t sysctl_net_t:dir search;
|
|
|
1304d5 |
allow pcp_pmcd_t sysctl_net_t:file { getattr open read };
|
|
|
1304d5 |
allow pcp_pmcd_t user_home_t:file { execute execute_no_trans open read };
|
|
|
1304d5 |
-allow pcp_pmcd_t debugfs_t:dir read;
|
|
|
1304d5 |
-allow pcp_pmcd_t debugfs_t:file { getattr ioctl open read };
|
|
|
1304d5 |
+allow pcp_pmcd_t debugfs_t:dir { read search };
|
|
|
1304d5 |
+allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };
|
|
|
1304d5 |
allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read };
|
|
|
1304d5 |
allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131
|
|
|
1304d5 |
#type=AVC msg=audit(1463754714.313:316): avc: denied { net_admin } for pid=2335 comm="pmcd" capability=12 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
|
|
|
1304d5 |
#type=AVC msg=audit(1491576442.619:1738169): avc: denied { sys_ptrace } for pid=15205 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
|
|
|
1304d5 |
#type=AVC msg=audit(1498833776.957:2094): avc: denied { ipc_owner } for pid=21341 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
|
|
|
1304d5 |
-allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_owner chown kill sys_resource };
|
|
|
1304d5 |
+allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_lock ipc_owner chown kill sys_resource };
|
|
|
1304d5 |
|
|
|
1304d5 |
#type=AVC msg=audit(1491581538.561:10949): avc: denied { getattr } for pid=9375 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=13290 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
|
|
|
1304d5 |
allow pcp_pmcd_t initctl_t:fifo_file getattr;
|
|
|
1304d5 |
|
|
|
1304d5 |
-#type=AVC msg=audit(1491581538.561:10950): avc: denied { getattr } for pid=9375 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532007 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
|
|
|
1304d5 |
allow pcp_pmcd_t proc_kcore_t:file getattr;
|
|
|
1304d5 |
|
|
|
1304d5 |
#type=AVC msg=audit(1491581538.587:10952): avc: denied { sys_ptrace } for pid=9375 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1
|
|
|
1304d5 |
@@ -183,7 +189,7 @@ allow pcp_pmcd_t hostname_exec_t:file {
|
|
|
1304d5 |
#type=AVC msg=audit(1498845911.360:7647): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
|
|
|
1304d5 |
@PCP_TRACEFS_FILE_RULE@
|
|
|
1304d5 |
|
|
|
1304d5 |
-allow pcp_pmcd_t gconf_home_t:dir search;
|
|
|
1304d5 |
+allow pcp_pmcd_t gconf_home_t:dir { getattr open read search };
|
|
|
1304d5 |
allow pcp_pmcd_t virt_etc_t:dir search;
|
|
|
1304d5 |
allow pcp_pmcd_t virt_etc_t:file { read open };
|
|
|
1304d5 |
allow pcp_pmcd_t virtd_t:unix_stream_socket connectto;
|
|
|
1304d5 |
@@ -222,7 +228,8 @@ allow pcp_pmcd_t httpd_t:sem { unix_read
|
|
|
1304d5 |
#RHBZ1545245
|
|
|
1304d5 |
allow pcp_pmcd_t sysfs_t:dir write;
|
|
|
1304d5 |
|
|
|
1304d5 |
-#allow pcp_pmcd_t modules_object_t:lnk_file read;
|
|
|
1304d5 |
+# pmda.bcc
|
|
|
1304d5 |
+allow pcp_pmcd_t modules_object_t:lnk_file read;
|
|
|
1304d5 |
|
|
|
1304d5 |
allow pcp_pmcd_t hugetlbfs_t:dir { open read };
|
|
|
1304d5 |
allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read };
|
|
|
1304d5 |
@@ -241,6 +248,21 @@ allow pcp_pmcd_t glusterd_var_lib_t:dir
|
|
|
1304d5 |
#RHBZ1565158
|
|
|
1304d5 |
allow pcp_pmcd_t mozilla_plugin_t:sem unix_read;
|
|
|
1304d5 |
|
|
|
1304d5 |
+#pmda.bcc
|
|
|
1304d5 |
+allow pcp_pmcd_t self:process { execmem setrlimit };
|
|
|
1304d5 |
+#type=AVC msg=audit(1530448398.992:231): avc: denied { read } for pid=16334 comm="python3" name="kallsyms" dev="proc" ino=4026532064 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1
|
|
|
1304d5 |
+allow pcp_pmcd_t system_map_t:file { ioctl open read };
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+allow pcp_pmcd_t sysctl_irq_t:dir { search };
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+#RHBZ1592901
|
|
|
1304d5 |
+allow pcp_pmcd_t init_t:shm unix_read;
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+#RHBZ1594991
|
|
|
1304d5 |
+allow pcp_pmcd_t gpsd_t:shm { associate getattr };
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+allow pcp_pmcd_t default_t:file getattr;
|
|
|
1304d5 |
+
|
|
|
1304d5 |
#============= pcp_pmlogger_t ==============
|
|
|
1304d5 |
allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
|
|
|
1304d5 |
allow pcp_pmlogger_t self:capability kill;
|
|
|
1304d5 |
@@ -257,7 +279,6 @@ allow pcp_pmlogger_t devlog_t:lnk_file r
|
|
|
1304d5 |
allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid };
|
|
|
1304d5 |
|
|
|
1304d5 |
## type=AVC msg=audit(04/19/2017 16:57:40.120:11020) : avc: denied { signal } for pid=28414 comm=pmsignal scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
|
|
|
1304d5 |
-
|
|
|
1304d5 |
allow pcp_pmlogger_t unconfined_t:process signal;
|
|
|
1304d5 |
|
|
|
1304d5 |
#type=AVC msg=audit(1503321970.417:261): avc: denied { execute_no_trans } for pid=6760 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1051023 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0
|
|
|
1304d5 |
@@ -266,17 +287,23 @@ allow pcp_pmlogger_t pcp_pmlogger_exec_t
|
|
|
1304d5 |
#type=AVC msg=audit(1493690261.688:262): avc: denied { name_connect } for pid=17604 comm="pmlc" dest=4330 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:dey_sapi_port_t:s0 tclass=tcp_socket
|
|
|
1304d5 |
allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect;
|
|
|
1304d5 |
|
|
|
1304d5 |
+#type=AVC msg=audit(1533291591.092:495620): avc: denied { connectto } for pid=18025 comm="pmprobe" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
|
|
|
1304d5 |
+allow pcp_pmlogger_t unconfined_t:unix_stream_socket connectto;
|
|
|
1304d5 |
+
|
|
|
1304d5 |
#RHBZ1488116
|
|
|
1304d5 |
#type=AVC msg=audit(1504516526.487:431): avc: denied { search } for pid=18056 comm="ps" name="testuser" dev="dm-0" ino=539096275 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
|
|
|
1304d5 |
allow pcp_pmlogger_t user_home_dir_t:dir search;
|
|
|
1304d5 |
-
|
|
|
1304d5 |
#RHBZ1547066
|
|
|
1304d5 |
allow pcp_pmlogger_t kernel_t:unix_dgram_socket sendto;
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+allow pcp_pmlogger_t home_bin_t:dir search;
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+
|
|
|
1304d5 |
#============= pcp_pmie_t ==============
|
|
|
1304d5 |
allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read @PCP_HOSTNAME_EXEC_MAP@ };
|
|
|
1304d5 |
|
|
|
1304d5 |
#type=AVC msg=audit(1498847682.537:15753): avc: denied { sys_ptrace } for pid=30881 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
|
|
|
1304d5 |
-allow pcp_pmie_t self:capability { chown kill net_admin sys_ptrace };
|
|
|
1304d5 |
+allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace };
|
|
|
1304d5 |
|
|
|
1304d5 |
#type=AVC msg=audit(04/05/2017 10:24:45.084:351) : avc: denied { connectto } for pid=8941 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
|
|
|
1304d5 |
allow pcp_pmie_t init_t:unix_stream_socket connectto;
|
|
|
1304d5 |
@@ -319,6 +346,9 @@ allow pcp_pmie_t pcp_pmcd_t:process sign
|
|
|
1304d5 |
|
|
|
1304d5 |
#RHBZ1547066
|
|
|
1304d5 |
allow pcp_pmie_t init_exec_t:file getattr;
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+@PCP_CAPUSERNS_PTRACE_RULE_PMIE@
|
|
|
1304d5 |
+allow pcp_pmie_t user_home_dir_t:dir search;
|
|
|
1304d5 |
#============= pmda-lio ==============
|
|
|
1304d5 |
allow pcp_pmcd_t configfs_t:dir { open read search };
|
|
|
1304d5 |
allow pcp_pmcd_t configfs_t:file { getattr open read };
|
|
|
1304d5 |
@@ -336,7 +366,7 @@ allow pcp_pmcd_t saslauthd_t:unix_stream
|
|
|
1304d5 |
|
|
|
1304d5 |
#============= pcp_pmproxy_t ==============
|
|
|
1304d5 |
#type=AVC msg=audit(04/05/2017 09:54:13.548:281) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability
|
|
|
1304d5 |
-allow pcp_pmproxy_t self:capability net_admin;
|
|
|
1304d5 |
+allow pcp_pmproxy_t self:capability { net_admin dac_override };
|
|
|
1304d5 |
|
|
|
1304d5 |
#type=AVC msg=audit(04/05/2017 09:54:13.548:281) : avc: denied { read } for pid=6669 comm=pmproxy name=disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
|
|
|
1304d5 |
#type=AVC msg=audit(04/05/2017 10:24:45.771:356) : avc: denied { open } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
|
|
|
1304d5 |
@@ -373,3 +403,7 @@ allow pcp_pmmgr_t zabbix_port_t:tcp_sock
|
|
|
1304d5 |
allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read };
|
|
|
1304d5 |
@PCP_FSADM_EXEC_MAP_RULE@
|
|
|
1304d5 |
allow pcp_pmcd_t self:capability sys_rawio;
|
|
|
1304d5 |
+
|
|
|
1304d5 |
+#============= pmda-redis ==============
|
|
|
1304d5 |
+#type=AVC msg=audit(1533183330.416:362367): avc: denied { name_connect } for pid=15299 comm="pmdaredis" dest=6379 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0
|
|
|
1304d5 |
+allow pcp_pmcd_t redis_port_t:tcp_socket name_connect;
|
|
|
1304d5 |
diff -Naurp pcp-4.1.0-orig/src/selinux/README pcp-4.1.0/src/selinux/README
|
|
|
1304d5 |
--- pcp-4.1.0-orig/src/selinux/README 2017-11-29 14:33:29.000000000 +1100
|
|
|
1304d5 |
+++ pcp-4.1.0/src/selinux/README 2018-09-05 08:45:27.410553794 +1000
|
|
|
1304d5 |
@@ -102,14 +102,16 @@ In general usage, the only portion we ca
|
|
|
1304d5 |
|
|
|
1304d5 |
SELinux manages a list of 'contexts' and how contexts are allowed to interact with each other.
|
|
|
1304d5 |
|
|
|
1304d5 |
-For example, it makes sense that the 'pcp_pmlogger_t' context to be
|
|
|
1304d5 |
-able to read and write to pcp log files with a 'pcp_log_t' context.
|
|
|
1304d5 |
-However, it doesn't make sense for 'pcp_pmlogger_t' to write to apache
|
|
|
1304d5 |
+For example, it makes sense for the 'pcp_pmlogger_t' context to be
|
|
|
1304d5 |
+able to read and write to PCP log files with a 'pcp_log_t' context.
|
|
|
1304d5 |
+However, it doesn't make sense for 'pcp_pmlogger_t' to write to Apache
|
|
|
1304d5 |
log files, which have a 'httpd_log_t' context.
|
|
|
1304d5 |
|
|
|
1304d5 |
-Where this can be of focus for PCP is various pmda's gathering metrics from domains. And, using the example
|
|
|
1304d5 |
-with apache earlier, many of these files have different contexts. We need to document these accesses and
|
|
|
1304d5 |
-why they're required, building our own policy package for inclusion in the running policy.
|
|
|
1304d5 |
+Where this can be of focus for PCP is various PMDA's gathering metrics
|
|
|
1304d5 |
+from domains. And, using the example with Apache earlier, many of these
|
|
|
1304d5 |
+files have different contexts. We need to document these accesses and
|
|
|
1304d5 |
+why they're required, building our own policy package for inclusion in
|
|
|
1304d5 |
+the running policy.
|
|
|
1304d5 |
|
|
|
1304d5 |
== Testing ==
|
|
|
1304d5 |
|
|
|
1304d5 |
@@ -143,4 +145,4 @@ http://equivocation.org/node/24
|
|
|
1304d5 |
http://equivocation.org/node/27
|
|
|
1304d5 |
http://equivocation.org/node/42
|
|
|
1304d5 |
http://equivocation.org/node/51
|
|
|
1304d5 |
-http://equivocation.org/node/52
|
|
|
1304d5 |
\ No newline at end of file
|
|
|
1304d5 |
+http://equivocation.org/node/52
|