|
|
ba2571 |
BZ 1790452 - Installation of pcp-pmda-samba causes SELinux issues
|
|
|
ba2571 |
73772a60f selinux: fix pmdasamba(1) operating with selinux enforcing
|
|
|
ba2571 |
|
|
|
ba2571 |
--- a/qa/917.out.in 2020-05-19 20:34:46.000000000 +1000
|
|
|
ba2571 |
+++ pcp-5.1.1/qa/917.out.in 2020-06-22 17:29:14.346713826 +1000
|
|
|
ba2571 |
@@ -34,6 +34,8 @@
|
|
|
ba2571 |
! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect };
|
|
|
ba2571 |
! allow [pcp_pmcd_t] [unreserved_port_t] : [udp_socket] { name_bind };
|
|
|
ba2571 |
! allow [pcp_pmlogger_t] [unreserved_port_t] : [tcp_socket] { name_bind };
|
|
|
ba2571 |
+ allow [pcp_pmcd_t] [samba_var_t] : [dir] { add_name write };
|
|
|
ba2571 |
+ allow [pcp_pmcd_t] [samba_var_t] : [file] { create };
|
|
|
ba2571 |
allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
|
|
|
ba2571 |
! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
|
|
|
ba2571 |
allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
|
|
|
ba2571 |
--- a/src/pmdas/samba/pmdasamba.pl 2020-02-04 14:51:57.000000000 +1100
|
|
|
ba2571 |
+++ pcp-5.1.1/src/pmdas/samba/pmdasamba.pl 2020-06-22 17:29:14.346713826 +1000
|
|
|
ba2571 |
@@ -41,6 +41,7 @@
|
|
|
ba2571 |
$pmda->err("pmdasamba failed to open $smbstats pipe: $!");
|
|
|
ba2571 |
|
|
|
ba2571 |
while (<STATS>) {
|
|
|
ba2571 |
+ $_ =~ s/"//g;
|
|
|
ba2571 |
if (m/^\*\*\*\*\s+(\w+[^*]*)\**$/) {
|
|
|
ba2571 |
my $heading = $1;
|
|
|
ba2571 |
$heading =~ s/ +$//g;
|
|
|
ba2571 |
--- a/src/selinux/pcpupstream.te.in 2020-05-19 20:34:32.000000000 +1000
|
|
|
ba2571 |
+++ pcp-5.1.1/src/selinux/pcpupstream.te.in 2020-06-22 17:29:14.347713837 +1000
|
|
|
ba2571 |
@@ -22,6 +22,7 @@
|
|
|
ba2571 |
type pcp_pmie_exec_t; # pmda.summary
|
|
|
ba2571 |
type ping_exec_t; # pmda.netcheck
|
|
|
ba2571 |
type openvswitch_exec_t; # pmda.openvswitch
|
|
|
ba2571 |
+ type samba_var_t; # pmda.samba
|
|
|
ba2571 |
type websm_port_t; # pmda.openmetrics
|
|
|
ba2571 |
type system_cronjob_t;
|
|
|
ba2571 |
type user_home_t;
|
|
|
ba2571 |
@@ -151,6 +152,10 @@
|
|
|
ba2571 |
#type=AVC msg=audit(YYY.94): avc: denied { name_bind } for pid=9365 comm=pmlogger src=4332 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
|
|
|
ba2571 |
@PCP_UNRESERVED_PORT_RULE_PMLOGGER@
|
|
|
ba2571 |
|
|
|
ba2571 |
+#type=AVC msg=audit(YYY.97): avc: denied { write } for pid=3507787 comm="smbstatus" name="msg.lock" dev="dm-0" ino=283321 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0
|
|
|
ba2571 |
+allow pcp_pmcd_t samba_var_t:dir { add_name write }; # pmda.samba
|
|
|
ba2571 |
+allow pcp_pmcd_t samba_var_t:file { create }; # pmda.samba
|
|
|
ba2571 |
+
|
|
|
ba2571 |
#type=AVC msg=audit(YYY.15): avc: denied { name_connect } for pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0
|
|
|
ba2571 |
allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.openmetrics
|
|
|
ba2571 |
|