Blame SOURCES/selinux-policy.patch

06f99f
diff -Naurp pcp-4.3.2.orig/qa/917 pcp-4.3.2/qa/917
06f99f
--- pcp-4.3.2.orig/qa/917	2018-11-27 10:46:07.000000000 +1100
97e5ec
+++ pcp-4.3.2/qa/917	2020-04-01 15:30:14.402025885 +1100
06f99f
@@ -21,6 +21,7 @@ which seinfo >/dev/null 2>&1 || _notrun
06f99f
 ( seinfo -t 2>&1 | grep 'Default policy search failed: No such file or directory' >/dev/null ) && _notrun "seinfo version bad: can't load default policy"
06f99f
 [ -f "$policy_file" ] || _notrun "upstream policy package not installed"
06f99f
 $sudo semodule -l 2>&1 | grep -q $policy_name || _notrun "upstream policy package not loaded"
06f99f
+[ -f $PCP_INC_DIR/builddefs ] || _notrun "No $PCP_INC_DIR/builddefs"
06f99f
 
06f99f
 seinfo --common >/dev/null 2>&1
06f99f
 if [ $? -eq 0 ]
06f99f
@@ -29,30 +30,6 @@ then
06f99f
 else
06f99f
     common_flag=""
06f99f
 fi
06f99f
-nsfs_t=`seinfo -t | grep 'nsfs_t$'`
06f99f
-docker_var_lib_t=""
06f99f
-svirt_lxc_net_t=`seinfo -t | grep "svirt_lxc_net_t$"`
06f99f
-systemd_systemctl_exec_t=`seinfo -t | grep "systemd_systemctl_exec_t$"`
06f99f
-systemd_systemctl_unit_file_t=`seinfo -t | grep "systemd_unit_file_t$"`
06f99f
-systemd_systemctl_unit_dir_t=`seinfo -t | grep "systemd_unit_dir_t$"`
06f99f
-devlog_t=`seinfo -t | grep "devlog_t$"`
06f99f
-init_t=`seinfo -t | grep "init_t$"`
06f99f
-cap_userns_ptrace=`seinfo --class=cap_userns $common_flag -x 2>&1 | grep "sys_ptrace$"`
06f99f
-unreserved_port_t=`seinfo -t | grep "unreserved_port_t$"`
06f99f
-tracefs_t=`seinfo -t | grep "tracefs_t$"`
06f99f
-class_status=`seinfo -x --class=system $common_flag | grep "status$"`
06f99f
-sock_file_getattr=`seinfo -x --class=sock_file $common_flag | grep "getattr$"`
06f99f
-hostname_exec_map_a=`seinfo -x --class=file $common_flag | grep "map$"`
06f99f
-hostname_exec_map_b=`seinfo -x --common=file 2>/dev/null | grep "map$"`
06f99f
-#container_runtime_tmpfs_t=`seinfo -t | grep "container_runtime_tmpfs_t$"`
06f99f
-container_runtime_tmpfs_t=""
06f99f
-unconfined_service=`seinfo -t | grep "unconfined_service_t$"`
06f99f
-mock_var_lib=`seinfo -t | grep "mock_var_lib_t$"`
06f99f
-numad_context=`seinfo -t | grep "numad_t$"`
06f99f
-bpf_class=`seinfo -x --class=bpf $common_flag 2>/dev/null | grep "class bpf"`
06f99f
-wap_port_type=`seinfo -t | grep "wap_wsp_port_t$"`
06f99f
-non_auth_type=`seinfo -a | grep "non_auth_file_type$"`
06f99f
-non_security_type=`seinfo -a | grep "non_security_file_type$"`
06f99f
 
06f99f
 _filter_semodule()
06f99f
 {
06f99f
@@ -69,98 +46,132 @@ _filter_sedismod1()
06f99f
 }
06f99f
 _filter_outfile()
06f99f
 {
06f99f
-    awk -v container_t="$container_runtime_t" \
06f99f
-	-v container_tmpfs_t="$container_runtime_tmpfs_t" \
06f99f
-	-v nsfs_t="$nsfs_t" \
06f99f
-	-v docker_var_lib_t="$docker_var_lib_t" \
06f99f
-	-v svirt_lxc_net_t="$svirt_lxc_net_t" \
06f99f
-	-v class_status="$class_status" \
06f99f
-	-v systemd_systemctl_exec_t="$systemd_systemctl_exec_t" \
06f99f
-	-v systemd_systemctl_unit_file_t="$systemd_systemctl_unit_file_t" \
06f99f
-	-v systemd_systemctl_unit_dir_t="$systemd_systemctl_unit_dir_t" \
06f99f
-	-v devlog_t="$devlog_t" \
06f99f
-	-v init_t="$init_t" \
06f99f
-	-v cap_userns_ptrace="$cap_userns_ptrace" \
06f99f
-	-v unreserved_port_t="$unreserved_port_t" \
06f99f
-	-v tracefs_t="$tracefs_t" \
06f99f
-	-v sock_file_getattr="$sock_file_getattr" \
06f99f
-	-v hostname_exec_map_a="$hostname_exec_map_a" \
06f99f
-	-v hostname_exec_map_b="$hostname_exec_map_b" \
06f99f
-	-v unconfined_service="$unconfined_service" \
06f99f
-	-v mock_var_lib="$mock_var_lib" \
06f99f
-	-v numad_context="$numad_context" \
06f99f
-        -v bpf_class="$bpf_class" \
06f99f
-        -v wap_port_type="$wap_port_type" \
06f99f
-        -v non_auth_type="$non_auth_type" \
06f99f
-        -v non_security_type="$non_security_type" \
06f99f
-    '{
06f99f
-    	if (container_t == "" && /container_runtime_t /)
06f99f
-	   !/container_runtime_t / ;
06f99f
-	else if (container_tmpfs_t == "" && /container_runtime_tmpfs_t/)
06f99f
-	   !/container_runtime_tmpfs_t/ ;
06f99f
-	else if (nsfs_t == "" && /nsfs_t/)
06f99f
-	   !/nsfs_t/ ;
06f99f
-    	else if (docker_var_lib_t == "" && /docker_var_lib_t/)
06f99f
-	   !/docker_var_lib_t/ ;
06f99f
-    	else if (svirt_lxc_net_t == "" && /svirt_lxc_net_t/)
06f99f
-	   !/svirt_lxc_net_t/ ;
06f99f
-    	else if (systemd_systemctl_exec_t == "" && /systemd_systemctl_exec_t/)
06f99f
-	   !/systemd_systemctl_exec_t/ ;
06f99f
-    	else if (systemd_systemctl_unit_file_t == "" && /systemd_unit_file_t/)
06f99f
-	   !/systemd_unit_file_t/ ;
06f99f
-    	else if (systemd_systemctl_unit_dir_t == "" && /systemd_unit_dir_t/)
06f99f
-	   !/systemd_unit_dir_t/ ;
06f99f
-	else if (devlog_t == "" && /devlog_t/)
06f99f
-	   !/devlog_t/ ;
06f99f
-	else if (init_t == "" && /init_t/)
06f99f
-	   !/init_t/ ;
06f99f
-	else if (cap_userns_ptrace == "" && /cap_userns/)
06f99f
-	   !/cap_userns/ ;
06f99f
-	else if (unreserved_port_t == "" && /unreserved_port_t/)
06f99f
-	   !/unreserved_port_t/ ;
06f99f
-	else if (tracefs_t == "" && /tracefs_t/)
06f99f
-	   !/tracefs_t/ ;
06f99f
-        else if (class_status == "" && /system.*status/)
06f99f
-           !/system.*status/ ;
06f99f
-	else if (sock_file_getattr == "" && /gpmctl_t/)
06f99f
-	   !/gpmctl_t/ ;
06f99f
-	else if (unconfined_service == "" && /unconfined_service_t/)
06f99f
-	   !/unconfined_service_t/ ;
06f99f
-	else if (mock_var_lib == "" && /mock_var_lib_t/)
06f99f
-	   !/mock_var_lib_t/ ;
06f99f
-        else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /ldconfig_exec_t/ && /map/)
06f99f
-           !/ldconfig_exec_t/ ;
06f99f
-        else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /pcp_tmp_t/ && /map/)
06f99f
-           !/pcp_tmp_t/ ;
06f99f
-        else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /fsadm_exec_t/ && /map/)
06f99f
-           !/fsadm_exec_t/ ;
06f99f
-	else if (numad_context == "" && /numda_t/)
06f99f
-	   !/numad_t/ ;
06f99f
-	else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /hostname_exec_t/ && /pcp_pmie_t/) {
06f99f
-	     printf("  allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };\n")
06f99f
-	   }
06f99f
-        else if (bpf_class == "" && /bpf/)
06f99f
-            !/bpf/ ;
06f99f
-        else if (wap_port_type == "" && /wap_wsp_port_t/)
06f99f
-            !/wap_wsp_port_t/ ;
06f99f
-        else if (non_auth_type == "" && /non_auth_file_type/)
06f99f
-            !/non_auth_file_type/ ;
06f99f
-        else if (non_auth_type != "" && /non_security_file_type/)
06f99f
-            !/non_security_file_type/ ;
06f99f
-	else
06f99f
-	   print;
06f99f
-    }'
06f99f
+    sed -f $tmp.sed
06f99f
 }
06f99f
 
06f99f
 status=1	# failure is the default!
06f99f
 $sudo rm -rf $tmp $tmp.* $seq.full
06f99f
 trap "cd $here; $sudo rm -rf $tmp $tmp.*; exit \$status" 0 1 2 3 15
06f99f
-echo > $seq.full
06f99f
 
06f99f
-cat $seq.out.in | _filter_outfile > $seq.out
06f99f
+# use logic from configure.ac to build list of optional types that are
06f99f
+# not present on this system and need to be culled from $seq.out.in
06f99f
+#
06f99f
+seinfo -t >$tmp.types
06f99f
+echo '/^#/d' >$tmp.sed
06f99f
+echo '/^!/s// /' >>$tmp.sed
06f99f
+for type in container_runtime_t nsfs_t docker_var_lib_t unreserved_port_t \
06f99f
+	    tracefs_t unconfined_service_t numad_t rpm_var_lib_t \
06f99f
+	    virt_var_run_t
06f99f
+do
06f99f
+    if grep "^[ 	][ 	]*$type\$" $tmp.types >/dev/null
06f99f
+    then
06f99f
+	:
06f99f
+    else
06f99f
+	echo "/^  *$type\$/d" >>$tmp.sed
06f99f
+	# and some missing types => associated rules need to be culled or
06f99f
+	# edited
06f99f
+	#
06f99f
+	case "$type"
06f99f
+	in
06f99f
+	    nsfs_t)
06f99f
+		echo '/allow \[pcp_pmcd_t] \[nsfs_t]/d' >>$tmp.sed
06f99f
+		;;
06f99f
+	    unreserved_port_t)
06f99f
+		echo '/allow \[pcp_pmcd_t] \[unreserved_port_t]/d' >>$tmp.sed
06f99f
+		echo '/allow \[pcp_pmmgr_t] \[unreserved_port_t]/d' >>$tmp.sed
06f99f
+		;;
06f99f
+	    tracefs_t)
06f99f
+		echo '/allow \[pcp_pmcd_t] \[tracefs_t]/d' >>$tmp.sed
06f99f
+		;;
06f99f
+	    unconfined_service_t)
06f99f
+		echo '/allow \[pcp_pmlogger_t] \[unconfined_service_t]/d' >>$tmp.sed
06f99f
+		echo '/allow \[pcp_pmie_t] \[unconfined_service_t]/d' >>$tmp.sed
06f99f
+		;;
06f99f
+	    numad_t)
06f99f
+		echo '/allow \[pcp_pmcd_t] \[numad_t]/d' >>$tmp.sed
06f99f
+		;;
06f99f
+	    rpm_var_lib_t)
06f99f
+		echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t]/d' >>$tmp.sed
06f99f
+		;;
06f99f
+	    virt_var_run_t)
06f99f
+		echo '/allow \[pcp_pmcd_t] \[virt_var_run_t]/d' >>$tmp.sed
06f99f
+		;;
06f99f
+	esac
06f99f
+    fi
06f99f
+done
06f99f
+
06f99f
+# now the class ones ... also using logic from configure.ac
06f99f
+#
06f99f
+if seinfo -x --class=cap_userns $common_flag 2>&1 \
06f99f
+   | grep '^[ 	][ 	]*sys_ptrace$' >/dev/null
06f99f
+then
06f99f
+    :
06f99f
+else
06f99f
+    echo '/allow \[pcp_pmie_t] .*\[cap_userns]/d' >>$tmp.sed
06f99f
+fi
06f99f
+
06f99f
+if seinfo -x --class=file $common_flag 2>&1 \
06f99f
+   | grep '^[ 	][ 	]*map$' >/dev/null
06f99f
+then
06f99f
+    :
06f99f
+elif seinfo -x --common file 2>&1 \
06f99f
+   | grep '^[ 	][ 	]*map$' >/dev/null
06f99f
+then
06f99f
+    :
06f99f
+else
06f99f
+    # if no map, need to cull these one as map is the only permission
06f99f
+    #
06f99f
+    echo '/allow \[pcp_pmcd_t] \[ldconfig_exec_t] : \[file].* map/d' >>$tmp.sed
06f99f
+    echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t] : \[file].* map/d' >>$tmp.sed
06f99f
+    echo '/allow \[pcp_pmcd_t] \[default_t] : \[file].* map/d' >>$tmp.sed
06f99f
+    # strip "map" from permissions for others
06f99f
+    #
06f99f
+    echo '/\[pcp_pmie_exec_t] .*\[file]/s/ map / /' >>$tmp.sed
06f99f
+    echo '/\[pcp_pmcd_t] .*\[file]/s/ map / /' >>$tmp.sed
06f99f
+    echo '/\[pcp_pmie_t] .*\[hostname_exec_t]/s/ map / /' >>$tmp.sed
06f99f
+    echo '/\[pcp_pmcd_t] \[fsadm_exec_t]/s/ map / /' >>$tmp.sed
06f99f
+    echo '/\[pcp_pmcd_t] \[default_t]/s/ map / /' >>$tmp.sed
06f99f
+    echo '/\[pcp_pmcd_t] \[pcp_pmie_exec_t]/s/ map / /' >>$tmp.sed
06f99f
+    echo '/\[pcp_pmcd_t] \[pcp_tmp_t]/s/ map / /' >>$tmp.sed
06f99f
+fi
06f99f
+
06f99f
+if seinfo -x --class=bpf $common_flag 2>&1 \
06f99f
+   | grep '^[ 	][ 	]*class bpf$' >/dev/null
06f99f
+then
06f99f
+    :
06f99f
+else
06f99f
+    echo '/allow \[pcp_pmcd_t] .*\[bpf]/d' >>$tmp.sed
06f99f
+fi
06f99f
+
06f99f
+if seinfo -x --class=capability2 $common_flag 2>&1 \
06f99f
+   | grep '^[ 	][ 	]*syslog$' >/dev/null
06f99f
+then
06f99f
+    :
06f99f
+else
06f99f
+    echo '/allow \[pcp_pmcd_t\] .*\[capability2\]/d' >>$tmp.sed
06f99f
+fi
06f99f
+
06f99f
+if seinfo -a 2>&1 \
06f99f
+   | grep '^[ 	][ 	]*non_auth_file_type$' >/dev/null
06f99f
+then
06f99f
+    echo '/allow \[pcp_domain] \[non_security_file_type]/d' >>$tmp.sed
06f99f
+else
06f99f
+    echo '/allow \[pcp_domain] \[non_auth_file_type]/d' >>$tmp.sed
06f99f
+fi
06f99f
+
06f99f
+if grep 'PCP_SELINUX_FILES_MMAP_ALL_FILES[ 	]*=[ 	]*true' $PCP_INC_DIR/builddefs >/dev/null 2>&1
06f99f
+then
06f99f
+    :
06f99f
+else
06f99f
+    echo '/allow \[pcp_domain] \[file_type] : \[file].* map/d' >>$tmp.sed
06f99f
+fi
06f99f
+
06f99f
+cat $tmp.sed >>$seq.full
06f99f
+
06f99f
+cat $seq.out.in | _filter_outfile >$seq.out
06f99f
 
06f99f
 echo "full policy modules list on the system"
06f99f
-$sudo semodule -l >> $seq.full
06f99f
+$sudo semodule -l >>$seq.full
06f99f
 echo "Checking that pcpupstream policy module has been properly installed"
06f99f
 awk '{ print $1 }' $seq.full | grep "pcpupstream$"  | _filter_semodule
06f99f
 # real QA test starts here
06f99f
diff -Naurp pcp-4.3.2.orig/qa/917.out.in pcp-4.3.2/qa/917.out.in
06f99f
--- pcp-4.3.2.orig/qa/917.out.in	2019-04-26 09:57:42.000000000 +1000
97e5ec
+++ pcp-4.3.2/qa/917.out.in	2020-04-01 15:30:37.069633323 +1100
06f99f
@@ -3,6 +3,17 @@ full policy modules list on the system
06f99f
 Checking that pcpupstream policy module has been properly installed
06f99f
 pcpupstream
06f99f
 Checking policies.
06f99f
+# Notes
06f99f
+# - lines begining # are comments for PCP QA developers and will be
06f99f
+#   stripped when creating 917.out from this file
06f99f
+# - lines beginning ! in the block below are places where the rules
06f99f
+#   are conditional, and the 917 script needs to mimic the configuration
06f99f
+#   changes that are driven from configure.ac (see the pcp_selinux_*
06f99f
+#   macro settings), and src/selinux/GNUlocaldefs (see the PCP_* macro 
06f99f
+#   settings)
06f99f
+# - otherwise lines in the block below come from
06f99f
+#   src/selinux/pcpupstream.te.in (after macro substitution)
06f99f
+#   
06f99f
 --- begin avrule block ---
06f99f
 decl 1:
06f99f
   allow [init_t] [pcp_log_t] : [dir] { read };
97e5ec
@@ -14,60 +25,65 @@ decl 1:
06f99f
   allow [init_t] [system_cronjob_t] : [dbus] { send_msg };
06f99f
   allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans };
06f99f
   allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
06f99f
-  allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read };
06f99f
+! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map };
06f99f
   allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
06f99f
   allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr };
06f99f
   allow [pcp_pmcd_t] self : [capability] { kill chown sys_chroot ipc_lock sys_resource };
06f99f
-  allow [pcp_pmcd_t] [nsfs_t] : [file] { open read };
06f99f
-  allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect };
06f99f
-  allow [pcp_pmcd_t] [svirt_lxc_net_t] : [dir] { open read search };
06f99f
+! allow [pcp_pmcd_t] [nsfs_t] : [file] { open read };
06f99f
+! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect };
06f99f
   allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
06f99f
-  allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans };
06f99f
-  allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { map };
06f99f
+! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
06f99f
   allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
06f99f
-  allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
06f99f
-  allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
06f99f
+! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
06f99f
+! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
06f99f
+! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
06f99f
   allow [pcp_pmcd_t] [haproxy_var_lib_t] : [sock_file] { write };
06f99f
   allow [pcp_pmcd_t] [sysctl_fs_t] : [file] { write };
06f99f
-  allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map };
06f99f
+! allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map };
06f99f
   allow [pcp_pmcd_t] [sysfs_t] : [dir] { write };
06f99f
   allow [pcp_pmcd_t] [modules_object_t] : [lnk_file] { read };
06f99f
   allow [pcp_pmcd_t] [mdadm_exec_t] : [file] { execute execute_no_trans open read };
97e5ec
+  allow [pcp_pmcd_t] [ndc_exec_t] : [file] { execute };
06f99f
   allow [pcp_pmcd_t] [proc_mdstat_t] : [file] { getattr open read };
06f99f
-  allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read };
06f99f
+! allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read };
06f99f
   allow [pcp_pmcd_t] [glusterd_log_t] : [file] { open read write };
06f99f
   allow [pcp_pmcd_t] self : [process] { execmem setrlimit ptrace };
06f99f
   allow [pcp_pmcd_t] [sysctl_irq_t] : [dir] { search };
06f99f
-  allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run };
06f99f
+! allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run };
06f99f
   allow [pcp_pmcd_t] [kernel_t] : [process] { signull };
06f99f
+! allow [pcp_pmcd_t] self : [capability2] { syslog };
06f99f
   allow [pcp_pmcd_t] [kernel_t] : [system] { module_request };
06f99f
   allow [pcp_pmcd_t] [su_exec_t] : [file] { execute };
06f99f
   allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write };
97e5ec
-  allow [pcp_pmlogger_t] self : [capability] { kill };
97e5ec
-  allow [pcp_pmlogger_t] self : [capability] { sys_ptrace fowner fsetid };
97e5ec
+  allow [pcp_pmlogger_t] self : [capability] { kill sys_ptrace fowner fsetid };
06f99f
   allow [pcp_pmlogger_t] [unconfined_t] : [process] { signal };
06f99f
   allow [pcp_pmlogger_t] [unconfined_service_t] : [process] { signal };
06f99f
   allow [pcp_pmlogger_t] [user_tmp_t] : [file] { setattr unlink };
06f99f
-  allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map };
97e5ec
+  allow [pcp_pmlogger_t] [setfiles_exec_t] : [file] { execute };
06f99f
+! allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map };
06f99f
   allow [pcp_pmie_t] self : [capability] { kill dac_override sys_ptrace net_admin chown fowner };
06f99f
   allow [pcp_pmie_t] [proc_net_t] : [file] { read };
06f99f
-  allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace };
06f99f
+! allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace };
06f99f
   allow [pcp_pmie_t] [unconfined_t] : [process] { signal };
06f99f
   allow [pcp_pmie_t] [unconfined_service_t] : [process] { signal };
06f99f
-  allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search };
06f99f
-  allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read };
06f99f
+  allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search write };
06f99f
+  allow [pcp_pmcd_t] [configfs_t] : [file] { getattr ioctl open read };
06f99f
   allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr };
06f99f
   allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read };
06f99f
   allow [pcp_pmproxy_t] self : [capability] { dac_override net_admin };
06f99f
   allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read };
06f99f
   allow [pcp_pmproxy_t] [proc_net_t] : [file] { read };
06f99f
-  allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind };
06f99f
+! allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind };
06f99f
   allow [pcp_pmmgr_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read };
06f99f
-  allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read };
06f99f
-  allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { map };
06f99f
-  allow [pcp_pmcd_t] [default_t] : [file] { execute map };
06f99f
+  allow [pcp_pmmgr_t] self : [capability] { dac_override };
06f99f
+! allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read map };
06f99f
+! allow [pcp_pmcd_t] [default_t] : [file] { execute map };
06f99f
   allow [pcp_pmcd_t] self : [capability] { sys_rawio };
06f99f
-  allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl };
06f99f
+! allow [pcp_pmcd_t] [rpm_var_lib_t] : [file] { map };
06f99f
+! allow [pcp_pmcd_t] [virt_var_run_t] : [sock_file] { write };
06f99f
+! allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl };
06f99f
+! allow [pcp_domain] [non_security_file_type] : [dir] { open search getattr };
06f99f
+! allow [pcp_domain] [non_security_file_type] : [dir] { open read search getattr lock ioctl };
06f99f
   allow [pcp_pmcd_t] [file_type] : [dir] { open read search getattr lock ioctl };
06f99f
   allow [pcp_pmcd_t] [file_type] : [dir] { open search getattr };
06f99f
   allow [pcp_pmcd_t] [file_type] : [file] { getattr ioctl lock open read };
97e5ec
@@ -93,6 +109,7 @@ decl 1:
06f99f
   allow [pcp_domain] [userdomain] : [sem] { unix_read associate getattr read };
06f99f
   allow [pcp_domain] [domain] : [unix_stream_socket] { connectto };
06f99f
   allow [pcp_domain] [port_type] : [tcp_socket] { name_connect };
06f99f
+! allow [pcp_domain] [file_type] : [file] { map };
06f99f
 --- begin avrule block ---
06f99f
 decl 2:
06f99f
   allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
06f99f
diff -Naurp pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python
06f99f
--- pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python	2018-09-18 16:41:15.000000000 +1000
97e5ec
+++ pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python	2020-04-01 15:30:14.403025868 +1100
06f99f
@@ -323,6 +323,11 @@ class PCPBCCBase(object):
06f99f
             else:
06f99f
                 return "0.5.0"
06f99f
 
06f99f
+    @staticmethod
06f99f
+    def bcc_version_tuple():
06f99f
+        """ Returns BCC version as an int tuple (for comparisons) """
06f99f
+        return tuple(map(int, PCPBCCBase.bcc_version().split('.')))
06f99f
+
06f99f
     def perf_buffer_poller(self):
06f99f
         """ BPF poller """
06f99f
         try:
06f99f
@@ -365,7 +370,10 @@ class PCPBCCBase(object):
06f99f
         Compat: bcc < 0.6.0
06f99f
         source: https://github.com/iovisor/bcc/blame/master/src/python/bcc/__init__.py
06f99f
         """
06f99f
-        return self.get_syscall_prefix() + name
06f99f
+        if hasattr(self.bpf, 'get_syscall_fnname'):
06f99f
+            return self.bpf.get_syscall_fnname(name)
06f99f
+        else:
06f99f
+            return self.get_syscall_prefix() + name
06f99f
 
06f99f
     def get_kprobe_functions(self, event_re):
06f99f
         """
06f99f
diff -Naurp pcp-4.3.2.orig/src/selinux/GNUlocaldefs pcp-4.3.2/src/selinux/GNUlocaldefs
06f99f
--- pcp-4.3.2.orig/src/selinux/GNUlocaldefs	2019-04-16 11:43:42.000000000 +1000
97e5ec
+++ pcp-4.3.2/src/selinux/GNUlocaldefs	2020-04-01 15:30:14.403025868 +1100
06f99f
@@ -1,101 +1,68 @@
06f99f
 ifeq "$(PCP_SELINUX_CONTAINER_RUNTIME)" "true"
06f99f
-PCP_CONTAINER_RUNTIME_T="type container_runtime_t\;"
06f99f
-PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto\;"
06f99f
+PCP_CONTAINER_RUNTIME_T="type container_runtime_t;"
06f99f
+PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto;"
06f99f
 else
06f99f
 PCP_CONTAINER_RUNTIME_RULE=""
06f99f
 PCP_CONTAINER_RUNTIME_T=""
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_NSFS)" "true"
06f99f
-PCP_NSFS_T="type nsfs_t\; \# filesys.used"
06f99f
-PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open }\;"
06f99f
+PCP_NSFS_T="type nsfs_t; \# filesys.used"
06f99f
+PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open };"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_DOCKER_VAR_LIB)" "true"
06f99f
-PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t\;"
06f99f
-PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search\;"
06f99f
+PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t;"
06f99f
+PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search;"
06f99f
 else
06f99f
 PCP_DOCKER_VAR_LIB_T=""
06f99f
 PCP_DOCKER_VAR_LIB_RULE=""
06f99f
 endif
06f99f
 
06f99f
-ifeq "$(PCP_SELINUX_SVIRT_LXC_NET)" "true"
06f99f
-PCP_SVIRT_LXC_NET_T="type svirt_lxc_net_t\;"
06f99f
-PCP_SVIRT_LXC_NET_RULE="allow pcp_pmcd_t svirt_lxc_net_t:dir { open read search }\;"
06f99f
-endif
06f99f
-
06f99f
-ifeq "$(PCP_SELINUX_CLASS_STATUS)" "true"
06f99f
-PCP_CLASS_STATUS="class system status\;"
06f99f
-PCP_PMLOGGER_SYSTEM_STATUS_RULE="allow pcp_pmlogger_t init_t:system status\;"
06f99f
-PCP_PMIE_SYSTEM_STATUS_RULE="allow pcp_pmie_t init_t:system status\;"
06f99f
-endif
06f99f
-
06f99f
-ifeq "$(PCP_SELINUX_SYSTEMD_UNIT_FILE)" "true"
06f99f
-PCP_SYSTEMCTL_UNIT_FILE_T="type systemd_unit_file_t\;"
06f99f
-PCP_SYSTEMCTL_UNIT_FILE_RULE="allow pcp_pmie_t systemd_unit_file_t:file getattr\;"
06f99f
-PCP_SYSTEMCTL_UNIT_DIR_RULE="allow pcp_pmie_t systemd_unit_file_t:dir search\;"
06f99f
-endif
06f99f
-
06f99f
-ifeq "$(PCP_SELINUX_SYSTEMD_EXEC)" "true"
06f99f
-PCP_SYSTEMCTL_EXEC_T="type systemd_systemctl_exec_t\;"
06f99f
-PCP_SYSTEMCTL_EXEC_RULE="allow pcp_pmie_t systemd_systemctl_exec_t:file { execute execute_no_trans open read getattr }\;"
06f99f
-endif
06f99f
-
06f99f
 ifeq "$(PCP_SELINUX_CAP_USERNS_PTRACE)" "true"
06f99f
-PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace\; \#pmdaproc"
06f99f
-PCP_CAPUSERNS_PTRACE_RULE="allow pcp_pmcd_t self:cap_userns sys_ptrace\;"
06f99f
-PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace\;"
06f99f
+PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace; \# pmdaproc"
06f99f
+PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace;"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true"
06f99f
-PCP_UNRESERVED_PORT="type unreserved_port_t\;"
06f99f
-PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect }\;"
06f99f
-PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind\;"
06f99f
+PCP_UNRESERVED_PORT="type unreserved_port_t;"
06f99f
+PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect };"
06f99f
+PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind;"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_TRACEFS)" "true"
06f99f
-PCP_TRACEFS="type tracefs_t\;"
06f99f
-PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;"
06f99f
-PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;"
06f99f
-PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write }\;"
06f99f
-endif
06f99f
-
06f99f
-ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true"
06f99f
-PCP_SOCK_FILE_GETATTR="class sock_file getattr\;"
06f99f
-PCP_SOCK_FILE_GETATTR_RULE="allow pcp_pmcd_t gpmctl_t:sock_file getattr\;"
06f99f
+PCP_TRACEFS="type tracefs_t;"
06f99f
+PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount;"
06f99f
+PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open };"
06f99f
+PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write };"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true"
06f99f
-PCP_HOSTNAME_EXEC_MAP=" map "
06f99f
-PCP_TMP_T_MAP_RULE="allow pcp_pmcd_t pcp_tmp_t:file map\;"
06f99f
-PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map\;"
06f99f
-PCP_FSADM_EXEC_MAP_RULE="allow pcp_pmcd_t fsadm_exec_t:file map\;"
06f99f
-PCP_DEFAULT_T_MAP="allow pcp_pmcd_t default_t:file { map execute }\;"
06f99f
+PCP_HOSTNAME_EXEC_MAP="map"
06f99f
+PCP_TMP_MAP="map"
06f99f
+PCP_FSADM_EXEC_MAP="map"
06f99f
+PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map;"
06f99f
+PCP_DEFAULT_MAP_RULE="allow pcp_pmcd_t default_t:file { map execute };"
06f99f
 endif
06f99f
 
06f99f
-ifeq "$(PCP_SELINUX_MOCK)" "true"
06f99f
-PCP_MOCK_VAR_LIB="type mock_var_lib_t\;"
06f99f
-PCP_MOCK_VAR_LIB_RULE="allow pcp_pmcd_t mock_var_lib_t:dir getattr\;"
06f99f
+ifeq "$(PCP_SELINUX_FILES_MMAP_ALL_FILES)" "true"
06f99f
+PCP_MMAP_ALL="files_mmap_all_files(pcp_domain);"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_UNCONFINED)" "true"
06f99f
-PCP_UNCONFINED_SERVICE="type unconfined_service_t\;"
06f99f
-PCP_UNCONFINED_SERVICE_RULE="allow pcp_pmcd_t unconfined_service_t:sem { associate getattr }\;"
06f99f
+PCP_UNCONFINED_SERVICE="type unconfined_service_t;"
06f99f
+PCP_PMLOGGER_UNCONFINED_SERVICE_RULE="allow pcp_pmlogger_t unconfined_service_t:process signal;"
06f99f
+PCP_PMIE_UNCONFINED_SERVICE_RULE="allow pcp_pmie_t unconfined_service_t:process signal;"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_NUMAD)" "true"
06f99f
-PCP_NUMAD_CONTEXT="type numad_t\;"
06f99f
-PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read\;"
06f99f
+PCP_NUMAD_CONTEXT="type numad_t;"
06f99f
+PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read;"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_BPF_STATUS)" "true"
06f99f
-PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run }\;"
06f99f
-PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run }\;"
06f99f
-endif
06f99f
-
06f99f
-ifeq "$(PCP_SELINUX_WAP_PORT)" "true"
06f99f
-PCP_WAP_PORT_CONTEXT="type wap_wsp_port_t\;"
06f99f
-PCP_WAP_PORT_RULE="allow pcp_pmcd_t wap_wsp_port_t:tcp_socket name_connect\;"
06f99f
+PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run };"
06f99f
+PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run };"
06f99f
 endif
06f99f
 
06f99f
 ifeq "$(PCP_SELINUX_FILES_LIST_NON_AUTH_DIRS)" "true"
06f99f
@@ -103,3 +70,24 @@ PCP_SELINUX_MACRO_RULE="files_list_non_a
06f99f
 else
06f99f
 PCP_SELINUX_MACRO_RULE="files_list_non_security\(pcp_domain\)"
06f99f
 endif
06f99f
+
06f99f
+# need both type rpm_var_lib_t and permission map for this one
06f99f
+#
06f99f
+PCP_RPM_VAR_LIB_T=""
06f99f
+PCP_RPM_VAR_LIB_RULE=""
06f99f
+ifeq "$(PCP_SELINUX_RPM_VAR_LIB)" "true"
06f99f
+ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true"
06f99f
+PCP_RPM_VAR_LIB_T="type rpm_var_lib_t; \# pmdarpm"
06f99f
+PCP_RPM_VAR_LIB_RULE="allow pcp_pmcd_t rpm_var_lib_t:file map;"
06f99f
+endif
06f99f
+endif
06f99f
+
06f99f
+ifeq "$(PCP_SELINUX_VIRT_VAR_RUN)" "true"
06f99f
+PCP_VIRT_VAR_RUN_T="type virt_var_run_t; \# pmdalibvirt"
06f99f
+PCP_VIRT_VAR_RUN_RULE="allow pcp_pmcd_t virt_var_run_t:sock_file write;"
06f99f
+endif
06f99f
+
06f99f
+ifeq "$(PCP_SELINUX_CAP2_SYSLOG)" "true"
06f99f
+PCP_CAP2_SYSLOG_CLASS="class capability2 { syslog };"
06f99f
+PCP_CAP2_SYSLOG_RULE="allow pcp_pmcd_t self:capability2 syslog;"
06f99f
+endif
06f99f
diff -Naurp pcp-4.3.2.orig/src/selinux/GNUmakefile pcp-4.3.2/src/selinux/GNUmakefile
06f99f
--- pcp-4.3.2.orig/src/selinux/GNUmakefile	2019-03-07 08:26:45.000000000 +1100
97e5ec
+++ pcp-4.3.2/src/selinux/GNUmakefile	2020-04-01 15:30:14.404025851 +1100
06f99f
@@ -33,51 +33,43 @@ build-me: $(IAM).te selinux-setup.sh
06f99f
 
06f99f
 $(IAM).te: $(IAM).te.in
06f99f
 	$(SED) <$< >$@ \
06f99f
-		-e 's;@PCP_CONTAINER_RUNTIME_T@;'$(PCP_CONTAINER_RUNTIME_T)';' \
06f99f
-		-e 's;@PCP_CONTAINER_RUNTIME_RULE@;'$(PCP_CONTAINER_RUNTIME_RULE)';' \
06f99f
-		-e 's;@PCP_NSFS_T@;'$(PCP_NSFS_T)';' \
06f99f
-		-e 's;@PCP_NSFS_RULE@;'$(PCP_NSFS_RULE)';' \
06f99f
-		-e 's;@PCP_DOCKER_VAR_LIB_T@;'$(PCP_DOCKER_VAR_LIB_T)';' \
06f99f
-		-e 's;@PCP_DOCKER_VAR_LIB_RULE@;'$(PCP_DOCKER_VAR_LIB_RULE)';' \
06f99f
-		-e 's;@PCP_CLASS_STATUS@;'$(PCP_CLASS_STATUS)';' \
06f99f
-		-e 's;@PCP_PMLOGGER_SYSTEM_STATUS_RULE@;'$(PCP_PMLOGGER_SYSTEM_STATUS_RULE)';' \
06f99f
-		-e 's;@PCP_PMIE_SYSTEM_STATUS_RULE@;'$(PCP_PMIE_SYSTEM_STATUS_RULE)';' \
06f99f
-		-e 's;@PCP_SVIRT_LXC_NET_T@;'$(PCP_SVIRT_LXC_NET_T)';' \
06f99f
-		-e 's;@PCP_SVIRT_LXC_NET_RULE@;'$(PCP_SVIRT_LXC_NET_RULE)';' \
06f99f
-		-e 's;@PCP_SYSTEMCTL_UNIT_FILE_T@;'$(PCP_SYSTEMCTL_UNIT_FILE_T)';' \
06f99f
-		-e 's;@PCP_SYSTEMCTL_UNIT_FILE_RULE@;'$(PCP_SYSTEMCTL_UNIT_FILE_RULE)';' \
06f99f
-		-e 's;@PCP_SYSTEMCTL_UNIT_DIR_RULE@;'$(PCP_SYSTEMCTL_UNIT_DIR_RULE)';' \
06f99f
-		-e 's;@PCP_SYSTEMCTL_EXEC_T@;'$(PCP_SYSTEMCTL_EXEC_T)';' \
06f99f
-		-e 's;@PCP_SYSTEMCTL_EXEC_RULE@;'$(PCP_SYSTEMCTL_EXEC_RULE)';' \
06f99f
-		-e 's;@PCP_CAPUSERNS_PTRACE@;'$(PCP_CAPUSERNS_PTRACE)';' \
06f99f
-		-e 's;@PCP_CAPUSERNS_PTRACE_RULE@;'$(PCP_CAPUSERNS_PTRACE_RULE)';' \
06f99f
-		-e 's;@PCP_CAPUSERNS_PTRACE_RULE_PMIE@;'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)';' \
06f99f
-		-e 's;@PCP_UNRESERVED_PORT@;'$(PCP_UNRESERVED_PORT)';' \
06f99f
-		-e 's;@PCP_UNRESERVED_PORT_RULE@;'$(PCP_UNRESERVED_PORT_RULE)';' \
06f99f
-		-e 's;@PCP_UNRESERVED_PORT_RULE_PMMGR@;'$(PCP_UNRESERVED_PORT_RULE_PMMGR)';' \
06f99f
-		-e 's;@PCP_TRACEFS@;'$(PCP_TRACEFS)';' \
06f99f
-		-e 's;@PCP_TRACEFS_FS_RULE@;'$(PCP_TRACEFS_FS_RULE)';' \
06f99f
-		-e 's;@PCP_TRACEFS_DIR_RULE@;'$(PCP_TRACEFS_DIR_RULE)';' \
06f99f
-		-e 's;@PCP_TRACEFS_FILE_RULE@;'$(PCP_TRACEFS_FILE_RULE)';' \
06f99f
-		-e 's;@PCP_SOCK_FILE_GETATTR@;'$(PCP_SOCK_FILE_GETATTR)';' \
06f99f
-		-e 's;@PCP_SOCK_FILE_GETATTR_RULE@;'$(PCP_SOCK_FILE_GETATTR_RULE)';' \
06f99f
-		-e 's;@PCP_HOSTNAME_EXEC_MAP@;'$(PCP_HOSTNAME_EXEC_MAP)';' \
06f99f
-		-e 's;@PCP_TMP_T_MAP_RULE@;'$(PCP_TMP_T_MAP_RULE)';' \
06f99f
-		-e 's;@PCP_DEFAULT_T_MAP@;'$(PCP_DEFAULT_T_MAP)';' \
06f99f
-		-e 's;@PCP_LDCONFIG_EXEC_MAP_RULE@;'$(PCP_LDCONFIG_EXEC_MAP_RULE)';' \
06f99f
-		-e 's;@PCP_MOCK_VAR_LIB@;'$(PCP_MOCK_VAR_LIB)';' \
06f99f
-		-e 's;@PCP_MOCK_VAR_LIB_RULE@;'$(PCP_MOCK_VAR_LIB_RULE)';' \
06f99f
-		-e 's;@PCP_UNCONFINED_SERVICE@;'$(PCP_UNCONFINED_SERVICE)';' \
06f99f
-		-e 's;@PCP_UNCONFINED_SERVICE_RULE@;'$(PCP_UNCONFINED_SERVICE_RULE)';' \
06f99f
-		-e 's;@PCP_NUMAD_CONTEXT@;'$(PCP_NUMAD_CONTEXT)';' \
06f99f
-		-e 's;@PCP_NUMAD_RULE@;'$(PCP_NUMAD_RULE)';' \
06f99f
-		-e 's;@PCP_FSADM_EXEC_MAP_RULE@;'$(PCP_FSADM_EXEC_MAP_RULE)';' \
06f99f
-		-e 's;@PCP_BPF_STATUS_CLASS@;'$(PCP_BPF_STATUS_CLASS)';' \
06f99f
-		-e 's;@PCP_BPF_STATUS_RULE@;'$(PCP_BPF_STATUS_RULE)';' \
06f99f
-		-e 's;@PCP_WAP_PORT_CONTEXT@;'$(PCP_WAP_PORT_CONTEXT)';' \
06f99f
-		-e 's;@PCP_WAP_PORT_RULE@;'$(PCP_WAP_PORT_RULE)';' \
06f99f
-		-e 's;@PCP_SELINUX_MACRO_RULE@;'$(PCP_SELINUX_MACRO_RULE)';' \
06f99f
-		-e 's;@PACKAGE_VERSION@;'$(PACKAGE_VERSION)';' \
06f99f
+		-e 's+@PCP_CONTAINER_RUNTIME_T@+'$(PCP_CONTAINER_RUNTIME_T)'+' \
06f99f
+		-e 's+@PCP_CONTAINER_RUNTIME_RULE@+'$(PCP_CONTAINER_RUNTIME_RULE)'+' \
06f99f
+		-e 's+@PCP_NSFS_T@+'$(PCP_NSFS_T)'+' \
06f99f
+		-e 's+@PCP_NSFS_RULE@+'$(PCP_NSFS_RULE)'+' \
06f99f
+		-e 's+@PCP_DOCKER_VAR_LIB_T@+'$(PCP_DOCKER_VAR_LIB_T)'+' \
06f99f
+		-e 's+@PCP_DOCKER_VAR_LIB_RULE@+'$(PCP_DOCKER_VAR_LIB_RULE)'+' \
06f99f
+		-e 's+@PCP_CAPUSERNS_PTRACE@+'$(PCP_CAPUSERNS_PTRACE)'+' \
06f99f
+		-e 's+@PCP_CAPUSERNS_PTRACE_RULE_PMIE@+'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)'+' \
06f99f
+		-e 's+@PCP_UNRESERVED_PORT@+'$(PCP_UNRESERVED_PORT)'+' \
06f99f
+		-e 's+@PCP_UNRESERVED_PORT_RULE@+'$(PCP_UNRESERVED_PORT_RULE)'+' \
06f99f
+		-e 's+@PCP_UNRESERVED_PORT_RULE_PMMGR@+'$(PCP_UNRESERVED_PORT_RULE_PMMGR)'+' \
06f99f
+		-e 's+@PCP_TRACEFS@+'$(PCP_TRACEFS)'+' \
06f99f
+		-e 's+@PCP_TRACEFS_FS_RULE@+'$(PCP_TRACEFS_FS_RULE)'+' \
06f99f
+		-e 's+@PCP_TRACEFS_DIR_RULE@+'$(PCP_TRACEFS_DIR_RULE)'+' \
06f99f
+		-e 's+@PCP_TRACEFS_FILE_RULE@+'$(PCP_TRACEFS_FILE_RULE)'+' \
06f99f
+		-e 's+@PCP_HOSTNAME_EXEC_MAP@+'$(PCP_HOSTNAME_EXEC_MAP)'+' \
06f99f
+		-e 's+@PCP_TMP_MAP@+'$(PCP_TMP_MAP)'+' \
06f99f
+		-e 's+@PCP_DEFAULT_MAP_RULE@+'$(PCP_DEFAULT_MAP_RULE)'+' \
06f99f
+		-e 's+@PCP_LDCONFIG_EXEC_MAP_RULE@+'$(PCP_LDCONFIG_EXEC_MAP_RULE)'+' \
06f99f
+		-e 's+@PCP_UNCONFINED_SERVICE@+'$(PCP_UNCONFINED_SERVICE)'+' \
06f99f
+		-e 's+@PCP_UNCONFINED_SERVICE_RULE@+'$(PCP_UNCONFINED_SERVICE_RULE)'+' \
06f99f
+		-e 's+@PCP_PMIE_UNCONFINED_SERVICE_RULE@+'$(PCP_PMIE_UNCONFINED_SERVICE_RULE)'+' \
06f99f
+		-e 's+@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@+'$(PCP_PMLOGGER_UNCONFINED_SERVICE_RULE)'+' \
06f99f
+		-e 's+@PCP_NUMAD_CONTEXT@+'$(PCP_NUMAD_CONTEXT)'+' \
06f99f
+		-e 's+@PCP_NUMAD_RULE@+'$(PCP_NUMAD_RULE)'+' \
06f99f
+		-e 's+@PCP_FSADM_EXEC_MAP@+'$(PCP_FSADM_EXEC_MAP)'+' \
06f99f
+		-e 's+@PCP_MMAP_ALL@+'$(PCP_MMAP_ALL)'+' \
06f99f
+		-e 's+@PCP_BPF_STATUS_CLASS@+'$(PCP_BPF_STATUS_CLASS)'+' \
06f99f
+		-e 's+@PCP_BPF_STATUS_RULE@+'$(PCP_BPF_STATUS_RULE)'+' \
06f99f
+		-e 's+@PCP_RPM_VAR_LIB_T@+'$(PCP_RPM_VAR_LIB_T)'+' \
06f99f
+		-e 's+@PCP_RPM_VAR_LIB_RULE@+'$(PCP_RPM_VAR_LIB_RULE)'+' \
06f99f
+		-e 's+@PCP_VIRT_VAR_RUN_T@+'$(PCP_VIRT_VAR_RUN_T)'+' \
06f99f
+		-e 's+@PCP_VIRT_VAR_RUN_RULE@+'$(PCP_VIRT_VAR_RUN_RULE)'+' \
06f99f
+		-e 's+@PCP_CAP2_SYSLOG_CLASS@+'$(PCP_CAP2_SYSLOG_CLASS)'+' \
06f99f
+		-e 's+@PCP_CAP2_SYSLOG_RULE@+'$(PCP_CAP2_SYSLOG_RULE)'+' \
06f99f
+		-e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \
06f99f
+		-e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \
06f99f
 
06f99f
 	# END
06f99f
 	make -f /usr/share/selinux/devel/Makefile
06f99f
diff -Naurp pcp-4.3.2.orig/src/selinux/pcpupstream.te.in pcp-4.3.2/src/selinux/pcpupstream.te.in
06f99f
--- pcp-4.3.2.orig/src/selinux/pcpupstream.te.in	2019-04-26 09:34:21.000000000 +1000
97e5ec
+++ pcp-4.3.2/src/selinux/pcpupstream.te.in	2020-04-01 15:30:37.069633323 +1100
97e5ec
@@ -9,6 +9,7 @@ require {
97e5ec
 	type tmp_t;
97e5ec
 	type init_t;
97e5ec
 	type default_t;
97e5ec
+	type gpmctl_t;
97e5ec
 	type pcp_pmlogger_t;
97e5ec
 	type pcp_pmlogger_exec_t;
97e5ec
 	type pcp_var_lib_t;
97e5ec
@@ -33,13 +34,15 @@ require {
97e5ec
         type sysctl_fs_t; #RHBZ1505888
97e5ec
         type sysfs_t; #RHBZ1545245
97e5ec
         type modules_object_t; # pcp.lio, pcp.bcc
97e5ec
+        type setfiles_exec_t;
97e5ec
         type mdadm_exec_t;
97e5ec
+        type ndc_exec_t;
97e5ec
         type proc_mdstat_t;
97e5ec
         @PCP_NUMAD_CONTEXT@
06f99f
         type glusterd_log_t;
06f99f
         type sysctl_irq_t; #pmda.bcc
06f99f
         type unconfined_t; #RHBZ1443632
06f99f
-        type unconfined_service_t;
06f99f
+        @PCP_UNCONFINED_SERVICE@
06f99f
         type configfs_t; #pcp.lio
06f99f
         type ldconfig_exec_t;
06f99f
         type sysctl_net_t;
97e5ec
@@ -49,19 +52,20 @@ require {
06f99f
 	type kmsg_device_t;
06f99f
         type proc_kcore_t;
06f99f
         type su_exec_t;
06f99f
+	@PCP_RPM_VAR_LIB_T@
06f99f
+	@PCP_VIRT_VAR_RUN_T@
06f99f
         class sem { unix_read associate getattr read };
06f99f
 	class lnk_file { read getattr };
06f99f
 	class file { append create execute execute_no_trans getattr setattr ioctl lock open read write unlink @PCP_HOSTNAME_EXEC_MAP@ };
06f99f
 	class dir { add_name open read search write getattr lock ioctl };
06f99f
 	class unix_stream_socket connectto;
06f99f
 	class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid };
06f99f
+	@PCP_CAP2_SYSLOG_CLASS@
06f99f
 	@PCP_CAPUSERNS_PTRACE@
06f99f
 	class chr_file { open write };
06f99f
 	class fifo_file { getattr read open unlink lock ioctl }; # qa/455
06f99f
 	class process { signull signal execmem setrlimit ptrace }; #RHBZ1443632
97e5ec
-	class sock_file write; #RHBZ1449671
06f99f
-	@PCP_SOCK_FILE_GETATTR@
06f99f
-	@PCP_CLASS_STATUS@
97e5ec
+	class sock_file { getattr write }; #RHBZ1449671, RHBZ1449671
06f99f
 	class tcp_socket { name_bind name_connect };
06f99f
 	class shm { unix_read associate getattr read };
06f99f
 	class filesystem mount;
97e5ec
@@ -98,49 +102,24 @@ allow init_t system_cronjob_t:dbus send_
06f99f
 
06f99f
 
06f99f
 #============= pcp_pmcd_t ==============
06f99f
-#type=AVC msg=audit(XXX.1): avc:  denied  { open read search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=dir permissive=0
06f99f
-#allow pcp_pmcd_t svirt_sandbox_file_t:dir { open read search };
06f99f
-
06f99f
-#@PCP_SVIRT_LXC_NET_RULE@
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.2): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
06f99f
-#allow pcp_pmcd_t sysctl_net_t:dir search;
06f99f
-
06f99f
-#SYN AVC for testing
06f99f
-#type=AVC msg=audit(XXX.3): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
06f99f
-#allow pcp_pmcd_t sysctl_net_t:file { getattr open read };
06f99f
 
06f99f
 #SYN AVC for testing
06f99f
 #type=AVC msg=audit(XXX.4): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmcd_t user_home_t:file { execute execute_no_trans };
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.5): avc:  denied  { read search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t debugfs_t:dir { read search };
06f99f
-
06f99f
 #type=AVC msg=audit(XXX.6): avc:  denied  { append getattr ioctl open read write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };
06f99f
 
06f99f
 #type=AVC msg=audit(XXX.7): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
06f99f
-allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read };
06f99f
+#type=AVC msg=audit(XXX.68): avc:  denied  { map } for  pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
06f99f
+allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read @PCP_HOSTNAME_EXEC_MAP@ };
06f99f
 
06f99f
 #type=AVC msg=audit(XXX.8): avc:  denied  { getattr open read unlink } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=fifo_file permissive=0
06f99f
 allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131
06f99f
 
06f99f
-#type=AVC msg=audit(YYY.9): avc:  denied  { getattr } for  pid=9375 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=13290 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
06f99f
-#allow pcp_pmcd_t initctl_t:fifo_file getattr;
06f99f
-
06f99f
 #type=AVC msg=audit(XXX.9): avc:  denied  { getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmcd_t proc_kcore_t:file getattr;
06f99f
 
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.10): avc:  denied  { sys_ptrace } for  pid=9375 comm="pmdaproc" capability=19  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1
06f99f
-#@PCP_CAPUSERNS_PTRACE_RULE@
06f99f
-
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.6): avc:  denied  { net_admin } for  pid=2335 comm="pmcd" capability=12  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
06f99f
-#type=AVC msg=audit(YYY.7): avc:  denied  { sys_ptrace } for  pid=15205 comm="pmdaproc" capability=19  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
06f99f
-#type=AVC msg=audit(YYY.8): avc:  denied  { ipc_owner } for  pid=21341 comm="pmdalinux" capability=15  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
06f99f
-#allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_lock ipc_owner chown kill sys_resource };
06f99f
 #type=AVC msg=audit(YYY.11): avc:  denied  { sys_chroot kill sys_resource } for  pid=25873 comm="pmdalinux" capability=18  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
06f99f
 #type=AVC msg=audit(YYY.87): avc:  denied  { chown } for  pid=8999 comm="pmdasimple" capability=0  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
06f99f
 allow pcp_pmcd_t self:capability { sys_chroot kill sys_resource ipc_lock chown };
97e5ec
@@ -149,10 +128,6 @@ allow pcp_pmcd_t self:capability { sys_c
06f99f
 #type=AVC msg=audit(YYY.12): avc:  denied  { read } for  pid=29112 comm="pmdalinux" dev="nsfs" ino=4026532454 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
06f99f
 @PCP_NSFS_RULE@
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.10): avc:  denied  { getattr read open } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=fifo_file permissive=0
06f99f
-# allow pcp_pmcd_t pcp_log_t:fifo_file { getattr read open }; # qa/455
06f99f
-
06f99f
-
06f99f
 #type=AVC msg=audit(YYY.13): avc:  denied  { name_bind } for  pid=7079 comm="pmdasimple" src=5650 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
06f99f
 #type=AVC msg=audit(YYY.14): avc:  denied  { name_connect } for  pid=29238 comm="pmcd" dest=5650 scontex =system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
06f99f
 @PCP_UNRESERVED_PORT_RULE@
97e5ec
@@ -160,19 +135,9 @@ allow pcp_pmcd_t self:capability { sys_c
06f99f
 #type=AVC msg=audit(YYY.15): avc:  denied  { name_connect } for  pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0
06f99f
 allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.prometheus
06f99f
 
06f99f
-#type=AVC msg=audit(YYY.16): avc:  denied  { unix_read } for  pid=14552 comm="pmdalinux" key=0  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0
06f99f
-#type=AVC msg=audit(YYY.17): avc:  denied  { getattr associate } for  pid=8128 comm="pmdalinux" key=0  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0
06f99f
-# allow pcp_pmcd_t unconfined_t:shm { unix_read associate getattr };
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.18): avc:  denied  { read } for  pid=16668 comm="pmdalogger" name="458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0
06f99f
-#type=AVC msg=audit(YYY.19): avc:  denied  { getattr } for  pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0
06f99f
-#type=AVC msg=audit(YYY.20): avc:  denied  { open } for  pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0
06f99f
-#allow pcp_pmcd_t user_tmp_t:fifo_file { read getattr open };
06f99f
-
06f99f
 #type=AVC msg=audit(YYY.21): avc:  denied  { execute } for  pid=8648 comm="sh" name="8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0
06f99f
 #type=AVC msg=audit(YYY.22): avc:  denied  { execute_no_trans } for  pid=8648 comm="sh" path="/tmp/8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0
06f99f
- allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans };
06f99f
-@PCP_TMP_T_MAP_RULE@
06f99f
+allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
06f99f
 
06f99f
 #type=AVC msg=audit(YYY.23): avc:  denied  { getattr } for  pid=8656 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
06f99f
 #type=AVC msg=audit(YYY.24): avc:  denied  { execute } for  pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
97e5ec
@@ -187,87 +152,39 @@ allow pcp_pmcd_t hostname_exec_t:file {
06f99f
 #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
06f99f
 #type=AVC msg=audit(YYY.30): avc:  denied  { read } for  pid=22090 comm="pmdaperfevent" name="events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
06f99f
 #type=AVC msg=audit(YYY.31): avc:  denied  { open } for  pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
06f99f
-# @PCP_TRACEFS_DIR_RULE@
06f99f
+#type=AVC msg=audit(YYY.88): avc:  denied  { read } for  pid=2023 comm="pmdakvm" name="kvm" dev="tracefs" ino=18541 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
06f99f
+@PCP_TRACEFS_DIR_RULE@
06f99f
 
06f99f
 #type=AVC msg=audit(YYY.32): avc:  denied  { read } for  pid=22090 comm="pmdaperfevent" name="id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
06f99f
 #type=AVC msg=audit(YYY.33): avc:  denied  { open } for  pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
06f99f
 @PCP_TRACEFS_FILE_RULE@
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.11): avc:  denied  { getattr open read search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t gconf_home_t:dir { getattr open read search };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.12): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t virt_etc_t:dir search;
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.13): avc:  denied  { read open } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmcd_t virt_etc_t:file { read open };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.14): avc:  denied  { connectto } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virtd_t:s0 tclass=unix_stream_socket permissive=0
06f99f
-# allow pcp_pmcd_t virtd_t:unix_stream_socket connectto;
06f99f
-
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.15): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t haproxy_var_lib_t:dir search;
97e5ec
+#type=AVC msg=audit(YYY.37): avc:  denied  { getattr } for  pid=YYYY comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=19750 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
97e5ec
+allow pcp_pmcd_t gpmctl_t:sock_file getattr;
97e5ec
 
06f99f
 #type=AVC msg=audit(XXX.16): avc:  denied  { write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=sock_file permissive=0
06f99f
 allow pcp_pmcd_t haproxy_var_lib_t:sock_file write;
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.17): avc:  denied  { connectto } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_t:s0 tclass=unix_stream_socket permissive=0
06f99f
-# allow pcp_pmcd_t haproxy_t:unix_stream_socket connectto;
06f99f
-
06f99f
-
06f99f
 #type=AVC msg=audit(YYY.34): avc:  denied  { write } for  pid=2967 comm="pmdaxfs" name="stats_clear" dev="proc" ino=87731 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
06f99f
 #RHBZ1505888
06f99f
 allow pcp_pmcd_t sysctl_fs_t:file write;
06f99f
 
06f99f
-#RHBZ1515928
06f99f
-#RHBZ1449671
06f99f
-#type=AVC msg=audit(XXX.18): avc:  denied  { getattr open search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t nfsd_fs_t:dir { getattr open search };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.19): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmcd_t nfsd_fs_t:file { getattr open read };
06f99f
-
06f99f
-
06f99f
-#RHBZ1517656
06f99f
-# @PCP_SOCK_FILE_GETATTR_RULE@
06f99f
-
06f99f
-#RHBZ1517862
06f99f
-#type=AVC msg=audit(XXX.20): avc:  denied  { read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t postfix_spool_t:dir read;
06f99f
-
06f99f
-
06f99f
-# @PCP_UNCONFINED_SERVICE_RULE@
06f99f
-
06f99f
-#type=AVC msg=audit(...): avc:  denied  { getattr } for  pid=NNN comm="pmdalinux" path="/var/lib/mock" dev="dm-1" ino=917749 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=dir permissive=1
06f99f
-# @PCP_MOCK_VAR_LIB_RULE@
06f99f
-
06f99f
 #type=AVC msg=audit(...): avc:  denied  { map } for  pid=NNN comm="ldconfig" path="/usr/sbin/ldconfig" dev="dm-1" ino=1052382 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
06f99f
 @PCP_LDCONFIG_EXEC_MAP_RULE@
06f99f
 
06f99f
-#RHBZ1488116
06f99f
-#type=AVC msg=audit(XXX.21): avc:  denied  { unix_read associate getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=shm permissive=0
06f99f
-# allow pcp_pmcd_t httpd_t:shm { unix_read associate getattr };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.22): avc:  denied  { unix_read associate getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=sem permissive=0
06f99f
-# allow pcp_pmcd_t httpd_t:sem { unix_read associate getattr };
06f99f
-
06f99f
-
06f99f
 #RHBZ1545245
06f99f
 #type=AVC msg=audit(XXX.23): avc:  denied  { write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
06f99f
 allow pcp_pmcd_t sysfs_t:dir write;
06f99f
 
06f99f
-
06f99f
 # pmda.bcc
06f99f
 #type=AVC msg=audit(XXX.24): avc:  denied  { read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=lnk_file permissive=0
06f99f
 allow pcp_pmcd_t modules_object_t:lnk_file read;
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.25): avc:  denied  { open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t hugetlbfs_t:dir { open read };
06f99f
-
06f99f
 #type=AVC msg=audit(XXX.26): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read };
06f99f
 
97e5ec
+allow pcp_pmcd_t ndc_exec_t:file execute;
97e5ec
+
97e5ec
 #type=AVC msg=audit(XXX.27): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=0
97e5ec
 allow pcp_pmcd_t proc_mdstat_t:file { getattr open read };
97e5ec
 
97e5ec
@@ -275,93 +192,29 @@ allow pcp_pmcd_t proc_mdstat_t:file { ge
06f99f
 #type=AVC msg=audit(YYY.36): avc:  denied  { unix_read } for  pid=1423 comm="pmdalinux" key=-559038737  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=msgq permissive=0
06f99f
 @PCP_NUMAD_RULE@
06f99f
 
06f99f
-
06f99f
 #type=AVC msg=audit(XXX.28): avc:  denied  { open read write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmcd_t glusterd_log_t:file { open read write };
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.29): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t glusterd_log_t:dir { search };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.30): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t glusterd_conf_t:dir { search };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.31): avc:  denied  { connectto } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_t:s0 tclass=unix_stream_socket permissive=0
06f99f
-# allow pcp_pmcd_t glusterd_t:unix_stream_socket connectto;
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.32): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t glusterd_var_lib_t:dir search;
06f99f
-
06f99f
-
06f99f
-#RHBZ1565158, RHBZ1619383
06f99f
-#type=AVC msg=audit(XXX.33): avc:  denied  { assocate getattr unix_read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mozilla_plugin_t:s0 tclass=sem permissive=0
06f99f
-# allow pcp_pmcd_t mozilla_plugin_t:sem { associate getattr unix_read };
06f99f
-
06f99f
-
06f99f
 #pmda.bcc
06f99f
 #type=AVC msg=audit(XXX.34): avc:  denied  { execmem setrlimit ptrace } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0
06f99f
 allow pcp_pmcd_t self:process { execmem setrlimit ptrace };
06f99f
 
06f99f
-#type=AVC msg=audit(YYY.37): avc:  denied  { read } for pid=16334 comm="python3" name="kallsyms" dev="proc" ino=4026532064 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1
06f99f
-#allow pcp_pmcd_t system_map_t:file { ioctl open read };
06f99f
-
06f99f
 #type=AVC msg=audit(XXX.35): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0
06f99f
 allow pcp_pmcd_t sysctl_irq_t:dir { search };
06f99f
 
06f99f
-
06f99f
-#RHBZ1592901
06f99f
-#type=AVC msg=audit(XXX.36): avc:  denied  { unix_read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:init_t:s0 tclass=shm permissive=0
06f99f
-# allow pcp_pmcd_t init_t:shm unix_read;
06f99f
-
06f99f
-
06f99f
-#RHBZ1594991
06f99f
-#type=AVC msg=audit(XXX.37): avc:  denied  { associate getattr unix_read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpsd_t:s0 tclass=shm permissive=0
06f99f
-# allow pcp_pmcd_t gpsd_t:shm { associate getattr unix_read };
06f99f
-
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.38): avc:  denied  { getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmcd_t default_t:file getattr;
06f99f
-
06f99f
-
06f99f
-#RHBZ1622253
06f99f
-#type=AVC msg=audit(YYY.38): avc:  denied  { search } for  pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
06f99f
-#allow pcp_pmcd_t named_zone_t:dir search;
06f99f
-
06f99f
-#RHBZ1619381
06f99f
-#type=AVC msg=audit(YYY.39): avc:  denied  { unix_read } for  pid=1726 comm="pmdalinux" key=0  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=shm permissive=0
06f99f
-#allow pcp_pmcd_t xdm_t:shm unix_read;
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.39): avc:  denied  { associate getattr unix_read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=sem permissive=0
06f99f
-# allow pcp_pmcd_t postgresql_t:sem { associate getattr unix_read };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.40): avc:  denied  { associate getattr unix_read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=shm permissive=0
06f99f
-# allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read };
06f99f
-
06f99f
-
06f99f
-#type=AVC msg=audit(...): avc:  denied  { connectto } for  pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
06f99f
-#allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto;
06f99f
-
06f99f
 #RHBZ1633211, RHBZ1693332
06f99f
 @PCP_BPF_STATUS_RULE@
06f99f
 
06f99f
 #type=AVC msg=audit(XXX.41): avc:  denied  { signull } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=process permissive=0
06f99f
 allow pcp_pmcd_t kernel_t:process signull;
06f99f
 
06f99f
+# pmda-bcc needs the ability to read addresses in /proc/kallsyms
06f99f
+@PCP_CAP2_SYSLOG_RULE@
06f99f
+
06f99f
 #RHBZ1690542
06f99f
 #type=AVC msg=audit(XXX.67): avc:  denied  { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
06f99f
 allow pcp_pmcd_t kernel_t:system module_request;
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.42): avc:  denied  { associate getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:xdm_t:s0 tclass=shm permissive=0
06f99f
-# allow pcp_pmcd_t xdm_t:shm { associate getattr };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.43): avc:  denied  { getattr search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t user_home_dir_t:dir { getattr search };
06f99f
-
06f99f
-#RHBZ1535522
06f99f
-#type=AVC msg=audit(YYY.40): avc:  denied  { search } for  pid=21371 comm="pmdalinux" name=".cache" dev="dm-0" ino=11796488 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=0
06f99f
-#allow pcp_pmcd_t cache_home_t:dir search;
06f99f
-
06f99f
-# @PCP_WAP_PORT_RULE@
06f99f
-
06f99f
 # type=AVC msg=audit(YYY.83): avc: denied { execute } for pid=19060 comm="zimbraprobe" name="su" dev="dm-0" ino=26416761 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
06f99f
 #pmdazimbra
06f99f
 allow pcp_pmcd_t su_exec_t:file { execute };
97e5ec
@@ -370,56 +223,21 @@ allow pcp_pmcd_t su_exec_t:file { execut
97e5ec
 #type=AVC msg=audit(XXX.44): avc:  denied  { open write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
97e5ec
 allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
06f99f
 
97e5ec
-#type=AVC msg=audit(XXX.45): avc:  denied  { kill } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
97e5ec
-allow pcp_pmlogger_t self:capability kill;
97e5ec
-
06f99f
-# @PCP_PMLOGGER_SYSTEM_STATUS_RULE@
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.41): avc:  denied  { write } for  pid=18266 comm="logger" name="log" dev="devtmpfs" ino=1413 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
06f99f
-# allow pcp_pmlogger_t devlog_t:sock_file write;
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.42): avc:  denied  { read } for  pid=26849 comm="logger" name="log" dev="devtmpfs" ino=1389 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
06f99f
-# allow pcp_pmlogger_t devlog_t:lnk_file read;
06f99f
-
06f99f
 # type=AVC msg=audit(YYY.43): avc:  denied  { sys_ptrace } for  pid=21962 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability
97e5ec
-# src/pmlogger/pmnewlog.sh
97e5ec
-allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid };
97e5ec
+#type=AVC msg=audit(XXX.45): avc:  denied  { kill } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
97e5ec
+allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid kill };
97e5ec
 
97e5ec
 ## type=AVC msg=audit(YYY.44) : avc:  denied  { signal } for  pid=28414 comm=pmsignal scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
06f99f
 allow pcp_pmlogger_t unconfined_t:process signal;
06f99f
 
06f99f
 ## type=AVC msg=audit(YYY.85): avc: denied { signal } for pid=31205 comm="pmsignal" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
06f99f
-allow pcp_pmlogger_t unconfined_service_t:process signal;
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.45): avc:  denied  { execute_no_trans } for  pid=6760 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1051023 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.46): avc:  denied  { name_connect } for  pid=17604 comm="pmlc" dest=4330 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:dey_sapi_port_t:s0 tclass=tcp_socket
06f99f
-# allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect;
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.47): avc:  denied  { connectto } for  pid=18025 comm="pmprobe" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
06f99f
-# allow pcp_pmlogger_t unconfined_t:unix_stream_socket connectto;
06f99f
-
06f99f
-#RHBZ1488116
06f99f
-#type=AVC msg=audit(YYY.48): avc:  denied  { search } for  pid=18056 comm="ps" name="testuser" dev="dm-0" ino=539096275 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
06f99f
-# allow pcp_pmlogger_t user_home_dir_t:dir search;
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.46): avc:  denied  { read open } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmlogger_t user_home_t:file { read open };
06f99f
+@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@
06f99f
 
06f99f
 #type=AVC msg=audit(XXX.68): avc: denied { setattr unlink } for pid=29153 comm="mv" name="pmlogger_check.log" dev="dm-0" ino=926794 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmlogger_t user_tmp_t:file { setattr unlink };
06f99f
 
06f99f
-#RHBZ1547066
06f99f
-#type=AVC msg=audit(XXX.47): avc:  denied  { sendto } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
06f99f
-# allow pcp_pmlogger_t kernel_t:unix_dgram_socket sendto;
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.48): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:home_bin_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmlogger_t home_bin_t:dir search;
06f99f
-
06f99f
-#RHBZ1634205
06f99f
-#type=AVC msg=audit(YYY.49): avc:  denied  { search } for  pid=8613 comm="ps" name=".cache" dev="dm-0" ino=1277884 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmlogger_t cache_home_t: dir search;
97e5ec
+#type=AVC msg=audit(XXX.72): avc:  denied  { execute } for  pid=9634 comm="pmlogger_daily" name="setfiles" dev="dm-0" ino=34500334 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0
97e5ec
+allow pcp_pmlogger_t setfiles_exec_t:file execute;
97e5ec
 
06f99f
 #============= pcp_pmie_t ==============
06f99f
 #type=AVC msg=audit(XXX.49): avc:  denied  { execute execute_no_trans getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
97e5ec
@@ -429,77 +247,27 @@ allow pcp_pmie_t hostname_exec_t:file {
06f99f
 #type=AVC msg=audit(YYY.50): avc:  denied  { sys_ptrace } for  pid=30881 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
06f99f
 allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace };
06f99f
 
06f99f
-#type=AVC msg=audit(YYY.51) : avc: denied { connectto } for pid=8941 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
06f99f
-# allow pcp_pmie_t init_t:unix_stream_socket connectto;
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.52) : avc: denied { open } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
06f99f
-#type=AVC msg=audit(YYY.53) : avc: denied { read } for pid=8939 comm=runlevel name=utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
06f99f
-#type=AVC msg=audit(YYY.54) : avc: denied { lock } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
06f99f
-# allow pcp_pmie_t initrc_var_run_t:file { lock open read };
06f99f
-
06f99f
-# @PCP_PMIE_SYSTEM_STATUS_RULE@
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.55) : avc: denied { getattr } for pid=8870 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
06f99f
-# @PCP_SYSTEMCTL_UNIT_FILE_RULE@
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.56): avc:  denied  { search } for  pid=30181 comm="pmie" name="system" dev="dm-1" ino=1182241 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=0
06f99f
-#@PCP_SYSTEMCTL_UNIT_DIR_RULE@
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.57) : avc: denied { read } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
06f99f
-#type=AVC msg=audit(YYY.58) : avc: denied { execute } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
06f99f
-#type=AVC msg=audit(YYY.59) : avc: denied { getattr } for pid=7004 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
06f99f
-#type=AVC msg=audit(YYY.60) : avc: denied { execute_no_trans } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
06f99f
-#type=AVC msg=audit(YYY.61) : avc: denied { open } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
06f99f
-#type=AVC msg=audit(YYY.62): avc:  denied  { getattr } for  pid=13079 comm="which" path="/usr/bin/systemctl" dev="dm-1" ino=1078205 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0
06f99f
-# @PCP_SYSTEMCTL_EXEC_RULE@
06f99f
-
06f99f
-#type=AVC msg=audit(YYY.63): avc:  denied  { connectto } for  pid=12589 comm="pmie" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmie_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
06f99f
-# allow pcp_pmie_t unconfined_t:unix_stream_socket connectto;
06f99f
-
06f99f
-#audit: type=1400 audit(YYY.64): avc:  denied  { execute_no_trans } for  pid=3703 comm=pmie_check path=/usr/bin/pmie dev=dm-0 ino=2506240 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmie_t pcp_pmie_exec_t:file execute_no_trans;
06f99f
-
06f99f
 #RHBZ1517656
06f99f
 #type=AVC msg=audit(XXX.50): avc:  denied  { read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmie_t proc_net_t:file read;
06f99f
 
06f99f
-
06f99f
-#type=AVC msg=audit(...): avc:  denied  { open } for  pid=NNN comm="runlevel" path="/dev/kmsg" dev="devtmpfs" ino=1043 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
06f99f
-# allow pcp_pmie_t kmsg_device_t:chr_file open;
06f99f
-
06f99f
-#RHBZ1533080
06f99f
-#type=AVC msg=audit(XXX.51): avc:  denied  { signal } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0
06f99f
-# allow pcp_pmie_t pcp_pmcd_t:process signal;
06f99f
-
06f99f
-
06f99f
-#RHBZ1547066
06f99f
-#type=AVC msg=audit(XXX.52): avc:  denied  { getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmie_t init_exec_t:file getattr;
06f99f
-
06f99f
 #RHBZ1635394
06f99f
 #type=AVC msg=audit(YYY.66): avc:  denied  { sys_ptrace } for  pid=15683 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=cap_userns permissive=0
06f99f
 @PCP_CAPUSERNS_PTRACE_RULE_PMIE@
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.53): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmie_t user_home_dir_t:dir search;
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.54): avc:  denied  { read open } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmie_t user_home_t:file { read open };
06f99f
-
06f99f
-
06f99f
 #RHBZ1623988
06f99f
 #type=AVC msg=audit(YYY.65): avc:  denied  { signal } for  pid=3106 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
06f99f
 allow pcp_pmie_t unconfined_t:process signal;
06f99f
 
06f99f
 ## type=AVC msg=audit(YYY.86): avc: denied { signal } for pid=23951 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
06f99f
-allow pcp_pmie_t unconfined_service_t:process signal;
06f99f
+@PCP_PMIE_UNCONFINED_SERVICE_RULE@
06f99f
 
06f99f
 #============= pmda-lio ==============
06f99f
-#type=AVC msg=audit(XXX.55): avc:  denied  { open read search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
06f99f
-allow pcp_pmcd_t configfs_t:dir { open read search };
06f99f
+#type=AVC msg=audit(XXX.55): avc:  denied  { open read search write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
06f99f
+allow pcp_pmcd_t configfs_t:dir { open read search write };
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.56): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0
06f99f
-allow pcp_pmcd_t configfs_t:file { getattr open read };
06f99f
+#type=AVC msg=audit(XXX.56): avc:  denied  { getattr ioctl open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0
06f99f
+allow pcp_pmcd_t configfs_t:file { getattr ioctl open read };
06f99f
 
06f99f
 #type=AVC msg=audit(XXX.57): avc:  denied  { getattr read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=lnk_file permissive=0
06f99f
 allow pcp_pmcd_t configfs_t:lnk_file { getattr read };
97e5ec
@@ -507,23 +275,6 @@ allow pcp_pmcd_t configfs_t:lnk_file { g
06f99f
 #type=AVC msg=audit(XXX.58): avc:  denied  { execute execute_no_trans getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmcd_t ldconfig_exec_t:file { execute execute_no_trans getattr open read };
06f99f
 
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.59): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t modules_conf_t:dir { getattr open read };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.60): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmcd_t modules_conf_t:file { getattr open read };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.61): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmcd_t modules_object_t:dir search;
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.62): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0
06f99f
-# allow pcp_pmcd_t modules_object_t:file { getattr open read };
06f99f
-
06f99f
-#type=AVC msg=audit(XXX.63): avc:  denied  { connectto } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0
06f99f
-# allow pcp_pmcd_t saslauthd_t:unix_stream_socket connectto;
06f99f
-
06f99f
-
06f99f
 #============= pcp_pmproxy_t ==============
06f99f
 #type=AVC msg=audit(YYY.67) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability
06f99f
 allow pcp_pmproxy_t self:capability { net_admin dac_override };
97e5ec
@@ -533,9 +284,6 @@ allow pcp_pmproxy_t self:capability { ne
06f99f
 #type=AVC msg=audit(YYY.70) : avc: denied { getattr } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
06f99f
 allow pcp_pmproxy_t sysctl_net_t:file { getattr open read };
06f99f
 
06f99f
-#type=AVC msg=audit(YYY.71): avc:  denied  { search } for  pid=14446 comm="pmproxy" name="net" dev="proc" ino=1168 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
06f99f
-# allow pcp_pmproxy_t sysctl_net_t:dir search;
06f99f
-
06f99f
 #type=AVC msg=audit(YYY.72): avc:  denied  { read } for  pid=28833 comm="pmproxy" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
06f99f
 #RHBZ1517656
06f99f
 allow pcp_pmproxy_t proc_net_t:file read;
97e5ec
@@ -545,14 +293,11 @@ allow pcp_pmproxy_t proc_net_t:file read
06f99f
 #type=AVC msg=audit(YYY.73): avc:  denied  { name_bind } for  pid=13114 comm="pmlogger" src=4332 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
06f99f
 @PCP_UNRESERVED_PORT_RULE_PMMGR@
06f99f
 
06f99f
-#type=AVC msg=audit(YYY.74): avc:  denied  { connectto } for  pid=16715 comm="pmmgr" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
06f99f
-# allow pcp_pmmgr_t unconfined_t:unix_stream_socket connectto;
06f99f
 #type=AVC msg=audit(XXX.64): avc:  denied  { execute execute_no_trans open read getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
06f99f
 allow pcp_pmmgr_t ldconfig_exec_t:file { execute execute_no_trans open read getattr };
06f99f
 
06f99f
-#type=AVC msg=audit(XXX.65): avc:  denied  { name_connect } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket permissive=0
06f99f
-# allow pcp_pmmgr_t zabbix_port_t:tcp_socket name_connect;
06f99f
-
06f99f
+#type=AVC msg=audit(XXX.69): avc:  denied  { dac_override } for  pid=3767 comm="pmmgr" capability=1  scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:system_r:pcp_pmmgr_t:s0 tclass=capability permissive=0
06f99f
+allow pcp_pmmgr_t self:capability dac_override;
06f99f
 
06f99f
 #============= pmda-smart ==============
06f99f
 
97e5ec
@@ -564,23 +309,25 @@ allow pcp_pmmgr_t ldconfig_exec_t:file {
06f99f
 #type=AVC msg=audit(YYY.80): avc:  denied  { map } for  pid=8678 comm="smartctl" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
06f99f
 #type=AVC msg=audit(YYY.81): avc:  denied  { sys_rawio } for  pid=8678 comm="smartctl" capability=17  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
06f99f
 
06f99f
-allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read };
06f99f
-@PCP_FSADM_EXEC_MAP_RULE@
06f99f
+allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read @PCP_FSADM_EXEC_MAP@ };
06f99f
  
06f99f
 #============= pmda-nvidia ==============
06f99f
 #type=AVC msg=audit(YYY.83): avc: denied { map } for pid=7034 comm="pmdanvidia" path="/usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
06f99f
 #type=AVC msg=audit(YYY.84): avc: denied { execute } for pid=19828 comm="pmdanvidia" path="//usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
06f99f
-@PCP_DEFAULT_T_MAP@
06f99f
+@PCP_DEFAULT_MAP_RULE@
06f99f
 
06f99f
 #type=AVC msg=audit(XXX.66): avc:  denied  { sys_rawio } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0
06f99f
 allow pcp_pmcd_t self:capability sys_rawio;
06f99f
 
06f99f
+#============= pmda-rpm ==============
06f99f
+#type=AVC msg=audit(YYY.89): avc:  denied  { map } for  pid=4969 comm="pmdarpm" path="/var/lib/rpm/Name" dev="dm-0" ino=519186 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=0
06f99f
+@PCP_RPM_VAR_LIB_RULE@
06f99f
+
06f99f
+#============= pmda-libvirt ==============
06f99f
+#type=AVC msg=audit(YYY.90): avc:  denied  { write } for  pid=30922 comm="python3" name="libvirt-sock-ro" dev="tmpfs" ino=25845 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=0
06f99f
+@PCP_VIRT_VAR_RUN_RULE@
06f99f
 
06f99f
-#============= pmda-redis ==============
06f99f
-#type=AVC msg=audit(YYY.82): avc:  denied  { name_connect } for  pid=15299 comm="pmdaredis" dest=6379 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0
06f99f
-# allow pcp_pmcd_t redis_port_t:tcp_socket name_connect;
06f99f
-
06f99f
-# allow pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type
06f99f
+# permit pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type
06f99f
 @PCP_SELINUX_MACRO_RULE@
06f99f
 files_read_all_files(pcp_pmcd_t)
06f99f
 files_read_all_files(pcp_pmie_t)
97e5ec
@@ -591,14 +338,17 @@ files_read_all_files(pcp_pmwebd_t)
06f99f
 
06f99f
 allow pcp_domain file_type:fifo_file read_fifo_file_perms;
06f99f
 
06f99f
-# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
06f99f
+# permit pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
06f99f
 allow pcp_domain domain:shm r_sem_perms;
06f99f
 allow pcp_domain domain:sem r_shm_perms;
06f99f
 allow pcp_domain userdomain:shm r_sem_perms;
06f99f
 allow pcp_domain userdomain:sem r_shm_perms;
06f99f
 
06f99f
-# allow pcp_domain stream connect to all domains
06f99f
+# permit pcp_domain stream connect to all domains
06f99f
 allow pcp_domain domain:unix_stream_socket connectto;
06f99f
 
06f99f
-# allow pcp_domain to connect to all ports.
06f99f
+# permit pcp_domain to connect to all ports.
06f99f
 corenet_tcp_connect_all_ports(pcp_domain)
06f99f
+
06f99f
+# all pcp_domain read access to all maps
06f99f
+@PCP_MMAP_ALL@
06f99f
diff -Naurp pcp-4.3.2.orig/src/selinux/README pcp-4.3.2/src/selinux/README
06f99f
--- pcp-4.3.2.orig/src/selinux/README	2019-04-09 10:48:01.000000000 +1000
97e5ec
+++ pcp-4.3.2/src/selinux/README	2020-04-01 15:30:14.404025851 +1100
06f99f
@@ -55,6 +55,22 @@ rather than the singular form
06f99f
 
06f99f
 as reported by audit2allow -m.
06f99f
 
06f99f
+Also, some of the "require" elements may be optional (not supported
06f99f
+on all versions of selinux), so watch out for things like
06f99f
+
06f99f
+    @PCP_TRACEFS@
06f99f
+
06f99f
+which becomes
06f99f
+
06f99f
+    type tracefs_t;
06f99f
+
06f99f
+or
06f99f
+
06f99f
+    <nothing>
06f99f
+
06f99f
+and the corresponding conditional rules, like @PCP_TRACEFS_FS_RULE@,
06f99f
+@PCP_TRACEFS_DIR_RULE@ and @PCP_TRACEFS_FILE_RULE@
06f99f
+
06f99f
 Now go further down src/selinux/pcpupstream.te.in and add the
06f99f
 "allow" clause from audit2allow -m, prefixed by the full text of
06f99f
 the matching AVC line from audit.log as a comment, so something like: