Blob Blame History Raw
diff -Naurp pcp-5.3.1.orig/qa/1622 pcp-5.3.1/qa/1622
--- pcp-5.3.1.orig/qa/1622	2021-05-31 09:25:06.000000000 +1000
+++ pcp-5.3.1/qa/1622	2021-08-27 15:22:35.173591966 +1000
@@ -251,6 +251,8 @@ type=AVC msg=audit(XXX.94): avc:  denied
 type=AVC msg=audit(XXX.95): avc: denied { setattr unlink } for pid=29153 comm="mv" name="pmlogger_check.log" dev="dm-0" ino=926794 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
 type=AVC msg=audit(XXX.96): avc:  denied  { execute } for  pid=2205945 comm="sh" name="kmod" dev="dm-0" ino=9462231 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
 type=AVC msg=audit(XXX.97): avc:  denied  { execute_no_trans } for  pid=40596 comm="sh" path="/usr/bin/kmod" dev="dm-0" ino=9462231 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
+type=AVC msg=audit(XXX.98): avc: denied { getattr write } for pid=14272 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=95030 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=0
+type=AVC msg=audit(XXX.99): avc: denied { getattr write } for pid=75540 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=51062 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
 EOF
 
 echo "Silence is golden ... all AVC's are allowed by active policy"
diff -Naurp pcp-5.3.1.orig/qa/917.out.in pcp-5.3.1/qa/917.out.in
--- pcp-5.3.1.orig/qa/917.out.in	2021-06-04 06:36:53.000000000 +1000
+++ pcp-5.3.1/qa/917.out.in	2021-08-27 15:22:35.175591931 +1000
@@ -23,6 +23,8 @@ Checking policies.
   allow [init_t] [system_cronjob_t] : [dbus] { send_msg };
   allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans };
   allow [pcp_pmcd_t] [user_tmp_t] : [sock_file] { getattr write };
+  allow [pcp_pmcd_t] [container_var_run_t] : [sock_file] { getattr write };
+  allow [pcp_pmcd_t] [var_run_t] : [sock_file] { getattr write };
   allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
 ! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map };
   allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
diff -Naurp pcp-5.3.1.orig/src/pmdas/podman/pmda.c pcp-5.3.1/src/pmdas/podman/pmda.c
--- pcp-5.3.1.orig/src/pmdas/podman/pmda.c	2021-05-13 14:42:26.000000000 +1000
+++ pcp-5.3.1/src/pmdas/podman/pmda.c	2021-08-27 15:22:35.175591931 +1000
@@ -19,7 +19,7 @@
 char *podman_rundir;
 pmdaIndom podman_indomtab[NUM_INDOMS];
 
-#define NUM_METRICS (NUM_CONTAINER_STATS + NUM_CONTAINER_INFO + NUM_POD_INFO)
+#define NUM_METRICS (sizeof(podman_metrictab)/sizeof(podman_metrictab[0]))
 static pmdaMetric podman_metrictab[] = {
 
     /* container stats cluster (0) */
diff -Naurp pcp-5.3.1.orig/src/selinux/pcpupstream.te.in pcp-5.3.1/src/selinux/pcpupstream.te.in
--- pcp-5.3.1.orig/src/selinux/pcpupstream.te.in	2021-06-04 06:36:39.000000000 +1000
+++ pcp-5.3.1/src/selinux/pcpupstream.te.in	2021-08-27 15:22:35.175591931 +1000
@@ -59,6 +59,8 @@ require {
         type proc_kcore_t;
 	@PCP_PROC_SECURITY_T@
         type su_exec_t;
+	type var_run_t;
+	type container_var_run_t;
 	type postgresql_var_run_t;
 	type fs_t;
 	@PCP_VIRT_VAR_RUN_T@
@@ -131,6 +133,12 @@ allow pcp_pmcd_t user_home_t:file { exec
 #type=AVC msg=audit(XXX.90): avc: denied { getattr write } for pid=1514 comm="pmdapodman" path="/run/user/N/podman/podman.sock" dev="tmpfs" ino=228 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
 allow pcp_pmcd_t user_tmp_t:sock_file { getattr write };
 
+#type=AVC msg=audit(XXX.98): avc: denied { getattr write } for pid=14272 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=95030 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=0
+allow pcp_pmcd_t container_var_run_t:sock_file { getattr write };
+
+#type=AVC msg=audit(XXX.99): avc: denied { getattr write } for pid=75540 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=51062 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
+allow pcp_pmcd_t var_run_t:sock_file { getattr write };
+
 #type=AVC msg=audit(XXX.6): avc:  denied  { append getattr ioctl open read write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0
 allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };