|
 |
cf525b |
commit d7679bd7cbb94692250a450bccf9f01cb982467f
|
|
|
cf525b |
Author: Mark Goodwin <mgoodwin@redhat.com>
|
|
|
cf525b |
Date: Fri Feb 12 10:12:59 2021 +1100
|
|
|
cf525b |
|
|
|
cf525b |
selinux, qa: allow pmcd to use netlink_tcpdiag_socket for sockets PMDA
|
|
|
cf525b |
|
|
|
cf525b |
Add SELinux rules allowing pmcd to create, setopt, bind, getattr and
|
|
|
cf525b |
nlmsg_read to netlink tcpdiag sockets. Needed by pmdasockets.
|
|
|
cf525b |
|
|
|
cf525b |
Update qa/1622 and 917.
|
|
|
cf525b |
|
|
|
cf525b |
Resolves: RHBZ#1926756
|
|
|
cf525b |
|
|
|
cf525b |
diff --git a/qa/1622 b/qa/1622
|
|
|
cf525b |
index 83f260d6d..f62b5f89a 100755
|
|
|
cf525b |
--- a/qa/1622
|
|
|
cf525b |
+++ b/qa/1622
|
|
|
cf525b |
@@ -216,6 +216,11 @@ type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY co
|
|
|
cf525b |
type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0
|
|
|
cf525b |
type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0
|
|
|
cf525b |
type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
|
|
|
cf525b |
+type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
EOF
|
|
|
cf525b |
|
|
|
cf525b |
echo "Silence is golden ... all AVC's are allowed by active policy"
|
|
|
cf525b |
diff --git a/qa/917.out.in b/qa/917.out.in
|
|
|
cf525b |
index 69c3b2d12..ddec57f9c 100644
|
|
|
cf525b |
--- a/qa/917.out.in
|
|
|
cf525b |
+++ b/qa/917.out.in
|
|
|
cf525b |
@@ -125,6 +125,7 @@ Checking policies.
|
|
|
cf525b |
allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
|
|
|
cf525b |
allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
|
|
|
cf525b |
allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
|
|
|
cf525b |
+ allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt };
|
|
|
cf525b |
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
|
|
|
cf525b |
allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
|
|
|
cf525b |
allow [pcp_pmie_t] [etc_t] : [dir] { open read search getattr lock ioctl };
|
|
|
cf525b |
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
|
|
|
cf525b |
index 30b67d907..cbfa34c14 100644
|
|
|
cf525b |
--- a/src/selinux/GNUlocaldefs
|
|
|
cf525b |
+++ b/src/selinux/GNUlocaldefs
|
|
|
cf525b |
@@ -118,5 +118,7 @@ endif
|
|
|
cf525b |
|
|
|
cf525b |
ifeq "$(PCP_SELINUX_NETLINK_GENERIC_SOCKET_CLASS)" "true"
|
|
|
cf525b |
PCP_NETLINK_GENERIC_SOCKET_CLASS="class netlink_generic_socket { bind create getattr setopt write read };"
|
|
|
cf525b |
+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
|
|
|
cf525b |
PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { bind create getattr setopt write read };"
|
|
|
cf525b |
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
|
|
|
cf525b |
endif
|
|
|
cf525b |
diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
|
|
|
cf525b |
index e16859d7e..d04644fcb 100644
|
|
|
cf525b |
--- a/src/selinux/GNUmakefile
|
|
|
cf525b |
+++ b/src/selinux/GNUmakefile
|
|
|
cf525b |
@@ -80,6 +80,8 @@ $(IAM).te: $(IAM).te.in
|
|
|
cf525b |
-e 's+@PCP_ICMP_SOCKET_RULE@+'$(PCP_ICMP_SOCKET_RULE)'+' \
|
|
|
cf525b |
-e 's+@PCP_NETLINK_GENERIC_SOCKET_CLASS@+'$(PCP_NETLINK_GENERIC_SOCKET_CLASS)'+' \
|
|
|
cf525b |
-e 's+@PCP_NETLINK_GENERIC_SOCKET_RULE@+'$(PCP_NETLINK_GENERIC_SOCKET_RULE)'+' \
|
|
|
cf525b |
+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_CLASS@+'$(PCP_NETLINK_TCPDIAG_SOCKET_CLASS)'+' \
|
|
|
cf525b |
+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@+'$(PCP_NETLINK_TCPDIAG_SOCKET_RULE)'+' \
|
|
|
cf525b |
-e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \
|
|
|
cf525b |
-e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \
|
|
|
cf525b |
|
|
|
cf525b |
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
|
|
|
cf525b |
index 36a043be1..d935aee36 100644
|
|
|
cf525b |
--- a/src/selinux/pcpupstream.te.in
|
|
|
cf525b |
+++ b/src/selinux/pcpupstream.te.in
|
|
|
cf525b |
@@ -90,6 +90,7 @@ require {
|
|
|
cf525b |
@PCP_BPF_CLASS@
|
|
|
cf525b |
class system { module_request };
|
|
|
cf525b |
@PCP_NETLINK_GENERIC_SOCKET_CLASS@
|
|
|
cf525b |
+ @PCP_NETLINK_TCPDIAG_SOCKET_CLASS@
|
|
|
cf525b |
}
|
|
|
cf525b |
|
|
|
cf525b |
#============= init_t ==============
|
|
|
cf525b |
@@ -423,3 +424,11 @@ allow pcp_pmcd_t drbd_exec_t:file { execute execute_no_trans };
|
|
|
cf525b |
# pmda-hacluster requirements for checking sbd
|
|
|
cf525b |
# type=AVC msg=audit(XXX.81): avc: denied { execute_no_trans } for pid=421434 comm="sh" path="/usr/sbin/sbd" dev="vda1" ino=1050019 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sbd_exec_t:s0 tclass=file permissive=1
|
|
|
cf525b |
@PCP_SBD_EXEC_RULE@
|
|
|
cf525b |
+
|
|
|
cf525b |
+#=========== pmda-sockets ============
|
|
|
cf525b |
+# type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+# type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+# type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+# type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+# type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
|
|
cf525b |
+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@
|
|
|
cf525b |
|
|
|
cf525b |
commit a49772607d80b25b2ae4b8764be709bb27d7e16f
|
|
|
cf525b |
Author: Mark Goodwin <mgoodwin@redhat.com>
|
|
|
cf525b |
Date: Fri Feb 12 10:09:23 2021 +1100
|
|
|
cf525b |
|
|
|
cf525b |
pmdasockets: minor changes to Install and Remove, add -U username
|
|
|
cf525b |
|
|
|
cf525b |
Specify pmns_name in Install and Remove scripts since the pmda name
|
|
|
cf525b |
differs to the namespace. Add -U username for optional use when run
|
|
|
cf525b |
as a daemon.
|
|
|
cf525b |
|
|
|
cf525b |
diff --git a/src/pmdas/linux_sockets/GNUmakefile b/src/pmdas/linux_sockets/GNUmakefile
|
|
|
cf525b |
index 34897f2e9..a32987ef7 100644
|
|
|
cf525b |
--- a/src/pmdas/linux_sockets/GNUmakefile
|
|
|
cf525b |
+++ b/src/pmdas/linux_sockets/GNUmakefile
|
|
|
cf525b |
@@ -31,7 +31,7 @@ HFILES = indom.h cluster.h ss_stats.h
|
|
|
cf525b |
LLDLIBS = $(PCP_PMDALIB)
|
|
|
cf525b |
LCFLAGS = $(INVISIBILITY)
|
|
|
cf525b |
|
|
|
cf525b |
-SCRIPTS = Install Remove
|
|
|
cf525b |
+SCRIPTS = Install Remove Upgrade
|
|
|
cf525b |
VERSION_SCRIPT = exports
|
|
|
cf525b |
LDIRT = domain.h $(VERSION_SCRIPT) $(IAM).log
|
|
|
cf525b |
|
|
|
cf525b |
diff --git a/src/pmdas/linux_sockets/Install b/src/pmdas/linux_sockets/Install
|
|
|
cf525b |
index 4bc934c96..28d7c7f9e 100755
|
|
|
cf525b |
--- a/src/pmdas/linux_sockets/Install
|
|
|
cf525b |
+++ b/src/pmdas/linux_sockets/Install
|
|
|
cf525b |
@@ -1,4 +1,4 @@
|
|
|
cf525b |
-#! /bin/sh
|
|
|
cf525b |
+#!/usr/bin/sh
|
|
|
cf525b |
#
|
|
|
cf525b |
# Copyright (c) 2021 Red Hat.
|
|
|
cf525b |
#
|
|
|
cf525b |
@@ -25,6 +25,8 @@ dso_opt=true
|
|
|
cf525b |
pipe_opt=false
|
|
|
cf525b |
daemon_opt=false
|
|
|
cf525b |
|
|
|
cf525b |
+pmns_name=network.persocket # differs to PMDA name
|
|
|
cf525b |
+
|
|
|
cf525b |
which ss >/dev/null 2>&1
|
|
|
cf525b |
if [ $? -ne 0 ]
|
|
|
cf525b |
then
|
|
|
cf525b |
diff --git a/src/pmdas/linux_sockets/Remove b/src/pmdas/linux_sockets/Remove
|
|
|
cf525b |
index 26edc85aa..3fee6a0e6 100755
|
|
|
cf525b |
--- a/src/pmdas/linux_sockets/Remove
|
|
|
cf525b |
+++ b/src/pmdas/linux_sockets/Remove
|
|
|
cf525b |
@@ -1,4 +1,4 @@
|
|
|
cf525b |
-#! /bin/sh
|
|
|
cf525b |
+#!/usr/bin/sh
|
|
|
cf525b |
#
|
|
|
cf525b |
# Copyright (c) 2021 Red Hat.
|
|
|
cf525b |
#
|
|
|
cf525b |
@@ -19,6 +19,7 @@
|
|
|
cf525b |
. $PCP_SHARE_DIR/lib/pmdaproc.sh
|
|
|
cf525b |
|
|
|
cf525b |
iam=sockets
|
|
|
cf525b |
+pmns_name=network.persocket # differs to PMDA name
|
|
|
cf525b |
|
|
|
cf525b |
pmdaSetup
|
|
|
cf525b |
pmdaRemove
|
|
|
cf525b |
diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c
|
|
|
cf525b |
index 9bca5d9d0..fab4be290 100644
|
|
|
cf525b |
--- a/src/pmdas/linux_sockets/pmda.c
|
|
|
cf525b |
+++ b/src/pmdas/linux_sockets/pmda.c
|
|
|
cf525b |
@@ -23,6 +23,7 @@
|
|
|
cf525b |
#include "ss_stats.h"
|
|
|
cf525b |
|
|
|
cf525b |
static int _isDSO = 1; /* for local contexts */
|
|
|
cf525b |
+static char *username;
|
|
|
cf525b |
|
|
|
cf525b |
/* metrics supported in this PMDA - see metrictab.c */
|
|
|
cf525b |
extern pmdaMetric metrictable[];
|
|
|
cf525b |
@@ -200,6 +201,8 @@ sockets_init(pmdaInterface *dp)
|
|
|
cf525b |
pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
|
|
|
cf525b |
pmdaDSO(dp, PMDA_INTERFACE_7, "SOCKETS DSO", helppath);
|
|
|
cf525b |
}
|
|
|
cf525b |
+ else
|
|
|
cf525b |
+ pmSetProcessIdentity(username);
|
|
|
cf525b |
|
|
|
cf525b |
if (dp->status != 0)
|
|
|
cf525b |
return;
|
|
|
cf525b |
@@ -227,12 +230,13 @@ static pmLongOptions longopts[] = {
|
|
|
cf525b |
PMOPT_DEBUG,
|
|
|
cf525b |
PMDAOPT_DOMAIN,
|
|
|
cf525b |
PMDAOPT_LOGFILE,
|
|
|
cf525b |
+ PMDAOPT_USERNAME,
|
|
|
cf525b |
PMOPT_HELP,
|
|
|
cf525b |
PMDA_OPTIONS_END
|
|
|
cf525b |
};
|
|
|
cf525b |
|
|
|
cf525b |
static pmdaOptions opts = {
|
|
|
cf525b |
- .short_options = "D:d:l:?",
|
|
|
cf525b |
+ .short_options = "D:d:l:U:?",
|
|
|
cf525b |
.long_options = longopts,
|
|
|
cf525b |
};
|
|
|
cf525b |
|
|
|
cf525b |
@@ -248,6 +252,7 @@ main(int argc, char **argv)
|
|
|
cf525b |
|
|
|
cf525b |
_isDSO = 0;
|
|
|
cf525b |
pmSetProgname(argv[0]);
|
|
|
cf525b |
+ pmGetUsername(&username);
|
|
|
cf525b |
pmsprintf(helppath, sizeof(helppath), "%s%c" "sockets" "%c" "help",
|
|
|
cf525b |
pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
|
|
|
cf525b |
pmdaDaemon(&dispatch, PMDA_INTERFACE_7, pmGetProgname(), SOCKETS, "sockets.log", helppath);
|
|
|
cf525b |
@@ -257,6 +262,8 @@ main(int argc, char **argv)
|
|
|
cf525b |
pmdaUsageMessage(&opts);
|
|
|
cf525b |
exit(1);
|
|
|
cf525b |
}
|
|
|
cf525b |
+ if (opts.username)
|
|
|
cf525b |
+ username = opts.username;
|
|
|
cf525b |
|
|
|
cf525b |
pmdaOpenLog(&dispatch);
|
|
|
cf525b |
sockets_init(&dispatch);
|
|
|
cf525b |
|