diff -Naurp pcp-4.3.2.orig/qa/917 pcp-4.3.2/qa/917
--- pcp-4.3.2.orig/qa/917 2018-11-27 10:46:07.000000000 +1100
+++ pcp-4.3.2/qa/917 2020-04-01 15:30:14.402025885 +1100
@@ -21,6 +21,7 @@ which seinfo >/dev/null 2>&1 || _notrun
( seinfo -t 2>&1 | grep 'Default policy search failed: No such file or directory' >/dev/null ) && _notrun "seinfo version bad: can't load default policy"
[ -f "$policy_file" ] || _notrun "upstream policy package not installed"
$sudo semodule -l 2>&1 | grep -q $policy_name || _notrun "upstream policy package not loaded"
+[ -f $PCP_INC_DIR/builddefs ] || _notrun "No $PCP_INC_DIR/builddefs"
seinfo --common >/dev/null 2>&1
if [ $? -eq 0 ]
@@ -29,30 +30,6 @@ then
else
common_flag=""
fi
-nsfs_t=`seinfo -t | grep 'nsfs_t$'`
-docker_var_lib_t=""
-svirt_lxc_net_t=`seinfo -t | grep "svirt_lxc_net_t$"`
-systemd_systemctl_exec_t=`seinfo -t | grep "systemd_systemctl_exec_t$"`
-systemd_systemctl_unit_file_t=`seinfo -t | grep "systemd_unit_file_t$"`
-systemd_systemctl_unit_dir_t=`seinfo -t | grep "systemd_unit_dir_t$"`
-devlog_t=`seinfo -t | grep "devlog_t$"`
-init_t=`seinfo -t | grep "init_t$"`
-cap_userns_ptrace=`seinfo --class=cap_userns $common_flag -x 2>&1 | grep "sys_ptrace$"`
-unreserved_port_t=`seinfo -t | grep "unreserved_port_t$"`
-tracefs_t=`seinfo -t | grep "tracefs_t$"`
-class_status=`seinfo -x --class=system $common_flag | grep "status$"`
-sock_file_getattr=`seinfo -x --class=sock_file $common_flag | grep "getattr$"`
-hostname_exec_map_a=`seinfo -x --class=file $common_flag | grep "map$"`
-hostname_exec_map_b=`seinfo -x --common=file 2>/dev/null | grep "map$"`
-#container_runtime_tmpfs_t=`seinfo -t | grep "container_runtime_tmpfs_t$"`
-container_runtime_tmpfs_t=""
-unconfined_service=`seinfo -t | grep "unconfined_service_t$"`
-mock_var_lib=`seinfo -t | grep "mock_var_lib_t$"`
-numad_context=`seinfo -t | grep "numad_t$"`
-bpf_class=`seinfo -x --class=bpf $common_flag 2>/dev/null | grep "class bpf"`
-wap_port_type=`seinfo -t | grep "wap_wsp_port_t$"`
-non_auth_type=`seinfo -a | grep "non_auth_file_type$"`
-non_security_type=`seinfo -a | grep "non_security_file_type$"`
_filter_semodule()
{
@@ -69,98 +46,132 @@ _filter_sedismod1()
}
_filter_outfile()
{
- awk -v container_t="$container_runtime_t" \
- -v container_tmpfs_t="$container_runtime_tmpfs_t" \
- -v nsfs_t="$nsfs_t" \
- -v docker_var_lib_t="$docker_var_lib_t" \
- -v svirt_lxc_net_t="$svirt_lxc_net_t" \
- -v class_status="$class_status" \
- -v systemd_systemctl_exec_t="$systemd_systemctl_exec_t" \
- -v systemd_systemctl_unit_file_t="$systemd_systemctl_unit_file_t" \
- -v systemd_systemctl_unit_dir_t="$systemd_systemctl_unit_dir_t" \
- -v devlog_t="$devlog_t" \
- -v init_t="$init_t" \
- -v cap_userns_ptrace="$cap_userns_ptrace" \
- -v unreserved_port_t="$unreserved_port_t" \
- -v tracefs_t="$tracefs_t" \
- -v sock_file_getattr="$sock_file_getattr" \
- -v hostname_exec_map_a="$hostname_exec_map_a" \
- -v hostname_exec_map_b="$hostname_exec_map_b" \
- -v unconfined_service="$unconfined_service" \
- -v mock_var_lib="$mock_var_lib" \
- -v numad_context="$numad_context" \
- -v bpf_class="$bpf_class" \
- -v wap_port_type="$wap_port_type" \
- -v non_auth_type="$non_auth_type" \
- -v non_security_type="$non_security_type" \
- '{
- if (container_t == "" && /container_runtime_t /)
- !/container_runtime_t / ;
- else if (container_tmpfs_t == "" && /container_runtime_tmpfs_t/)
- !/container_runtime_tmpfs_t/ ;
- else if (nsfs_t == "" && /nsfs_t/)
- !/nsfs_t/ ;
- else if (docker_var_lib_t == "" && /docker_var_lib_t/)
- !/docker_var_lib_t/ ;
- else if (svirt_lxc_net_t == "" && /svirt_lxc_net_t/)
- !/svirt_lxc_net_t/ ;
- else if (systemd_systemctl_exec_t == "" && /systemd_systemctl_exec_t/)
- !/systemd_systemctl_exec_t/ ;
- else if (systemd_systemctl_unit_file_t == "" && /systemd_unit_file_t/)
- !/systemd_unit_file_t/ ;
- else if (systemd_systemctl_unit_dir_t == "" && /systemd_unit_dir_t/)
- !/systemd_unit_dir_t/ ;
- else if (devlog_t == "" && /devlog_t/)
- !/devlog_t/ ;
- else if (init_t == "" && /init_t/)
- !/init_t/ ;
- else if (cap_userns_ptrace == "" && /cap_userns/)
- !/cap_userns/ ;
- else if (unreserved_port_t == "" && /unreserved_port_t/)
- !/unreserved_port_t/ ;
- else if (tracefs_t == "" && /tracefs_t/)
- !/tracefs_t/ ;
- else if (class_status == "" && /system.*status/)
- !/system.*status/ ;
- else if (sock_file_getattr == "" && /gpmctl_t/)
- !/gpmctl_t/ ;
- else if (unconfined_service == "" && /unconfined_service_t/)
- !/unconfined_service_t/ ;
- else if (mock_var_lib == "" && /mock_var_lib_t/)
- !/mock_var_lib_t/ ;
- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /ldconfig_exec_t/ && /map/)
- !/ldconfig_exec_t/ ;
- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /pcp_tmp_t/ && /map/)
- !/pcp_tmp_t/ ;
- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /fsadm_exec_t/ && /map/)
- !/fsadm_exec_t/ ;
- else if (numad_context == "" && /numda_t/)
- !/numad_t/ ;
- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /hostname_exec_t/ && /pcp_pmie_t/) {
- printf(" allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };\n")
- }
- else if (bpf_class == "" && /bpf/)
- !/bpf/ ;
- else if (wap_port_type == "" && /wap_wsp_port_t/)
- !/wap_wsp_port_t/ ;
- else if (non_auth_type == "" && /non_auth_file_type/)
- !/non_auth_file_type/ ;
- else if (non_auth_type != "" && /non_security_file_type/)
- !/non_security_file_type/ ;
- else
- print;
- }'
+ sed -f $tmp.sed
}
status=1 # failure is the default!
$sudo rm -rf $tmp $tmp.* $seq.full
trap "cd $here; $sudo rm -rf $tmp $tmp.*; exit \$status" 0 1 2 3 15
-echo > $seq.full
-cat $seq.out.in | _filter_outfile > $seq.out
+# use logic from configure.ac to build list of optional types that are
+# not present on this system and need to be culled from $seq.out.in
+#
+seinfo -t >$tmp.types
+echo '/^#/d' >$tmp.sed
+echo '/^!/s// /' >>$tmp.sed
+for type in container_runtime_t nsfs_t docker_var_lib_t unreserved_port_t \
+ tracefs_t unconfined_service_t numad_t rpm_var_lib_t \
+ virt_var_run_t
+do
+ if grep "^[ ][ ]*$type\$" $tmp.types >/dev/null
+ then
+ :
+ else
+ echo "/^ *$type\$/d" >>$tmp.sed
+ # and some missing types => associated rules need to be culled or
+ # edited
+ #
+ case "$type"
+ in
+ nsfs_t)
+ echo '/allow \[pcp_pmcd_t] \[nsfs_t]/d' >>$tmp.sed
+ ;;
+ unreserved_port_t)
+ echo '/allow \[pcp_pmcd_t] \[unreserved_port_t]/d' >>$tmp.sed
+ echo '/allow \[pcp_pmmgr_t] \[unreserved_port_t]/d' >>$tmp.sed
+ ;;
+ tracefs_t)
+ echo '/allow \[pcp_pmcd_t] \[tracefs_t]/d' >>$tmp.sed
+ ;;
+ unconfined_service_t)
+ echo '/allow \[pcp_pmlogger_t] \[unconfined_service_t]/d' >>$tmp.sed
+ echo '/allow \[pcp_pmie_t] \[unconfined_service_t]/d' >>$tmp.sed
+ ;;
+ numad_t)
+ echo '/allow \[pcp_pmcd_t] \[numad_t]/d' >>$tmp.sed
+ ;;
+ rpm_var_lib_t)
+ echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t]/d' >>$tmp.sed
+ ;;
+ virt_var_run_t)
+ echo '/allow \[pcp_pmcd_t] \[virt_var_run_t]/d' >>$tmp.sed
+ ;;
+ esac
+ fi
+done
+
+# now the class ones ... also using logic from configure.ac
+#
+if seinfo -x --class=cap_userns $common_flag 2>&1 \
+ | grep '^[ ][ ]*sys_ptrace$' >/dev/null
+then
+ :
+else
+ echo '/allow \[pcp_pmie_t] .*\[cap_userns]/d' >>$tmp.sed
+fi
+
+if seinfo -x --class=file $common_flag 2>&1 \
+ | grep '^[ ][ ]*map$' >/dev/null
+then
+ :
+elif seinfo -x --common file 2>&1 \
+ | grep '^[ ][ ]*map$' >/dev/null
+then
+ :
+else
+ # if no map, need to cull these one as map is the only permission
+ #
+ echo '/allow \[pcp_pmcd_t] \[ldconfig_exec_t] : \[file].* map/d' >>$tmp.sed
+ echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t] : \[file].* map/d' >>$tmp.sed
+ echo '/allow \[pcp_pmcd_t] \[default_t] : \[file].* map/d' >>$tmp.sed
+ # strip "map" from permissions for others
+ #
+ echo '/\[pcp_pmie_exec_t] .*\[file]/s/ map / /' >>$tmp.sed
+ echo '/\[pcp_pmcd_t] .*\[file]/s/ map / /' >>$tmp.sed
+ echo '/\[pcp_pmie_t] .*\[hostname_exec_t]/s/ map / /' >>$tmp.sed
+ echo '/\[pcp_pmcd_t] \[fsadm_exec_t]/s/ map / /' >>$tmp.sed
+ echo '/\[pcp_pmcd_t] \[default_t]/s/ map / /' >>$tmp.sed
+ echo '/\[pcp_pmcd_t] \[pcp_pmie_exec_t]/s/ map / /' >>$tmp.sed
+ echo '/\[pcp_pmcd_t] \[pcp_tmp_t]/s/ map / /' >>$tmp.sed
+fi
+
+if seinfo -x --class=bpf $common_flag 2>&1 \
+ | grep '^[ ][ ]*class bpf$' >/dev/null
+then
+ :
+else
+ echo '/allow \[pcp_pmcd_t] .*\[bpf]/d' >>$tmp.sed
+fi
+
+if seinfo -x --class=capability2 $common_flag 2>&1 \
+ | grep '^[ ][ ]*syslog$' >/dev/null
+then
+ :
+else
+ echo '/allow \[pcp_pmcd_t\] .*\[capability2\]/d' >>$tmp.sed
+fi
+
+if seinfo -a 2>&1 \
+ | grep '^[ ][ ]*non_auth_file_type$' >/dev/null
+then
+ echo '/allow \[pcp_domain] \[non_security_file_type]/d' >>$tmp.sed
+else
+ echo '/allow \[pcp_domain] \[non_auth_file_type]/d' >>$tmp.sed
+fi
+
+if grep 'PCP_SELINUX_FILES_MMAP_ALL_FILES[ ]*=[ ]*true' $PCP_INC_DIR/builddefs >/dev/null 2>&1
+then
+ :
+else
+ echo '/allow \[pcp_domain] \[file_type] : \[file].* map/d' >>$tmp.sed
+fi
+
+cat $tmp.sed >>$seq.full
+
+cat $seq.out.in | _filter_outfile >$seq.out
echo "full policy modules list on the system"
-$sudo semodule -l >> $seq.full
+$sudo semodule -l >>$seq.full
echo "Checking that pcpupstream policy module has been properly installed"
awk '{ print $1 }' $seq.full | grep "pcpupstream$" | _filter_semodule
# real QA test starts here
diff -Naurp pcp-4.3.2.orig/qa/917.out.in pcp-4.3.2/qa/917.out.in
--- pcp-4.3.2.orig/qa/917.out.in 2019-04-26 09:57:42.000000000 +1000
+++ pcp-4.3.2/qa/917.out.in 2020-04-01 15:30:37.069633323 +1100
@@ -3,6 +3,17 @@ full policy modules list on the system
Checking that pcpupstream policy module has been properly installed
pcpupstream
Checking policies.
+# Notes
+# - lines begining # are comments for PCP QA developers and will be
+# stripped when creating 917.out from this file
+# - lines beginning ! in the block below are places where the rules
+# are conditional, and the 917 script needs to mimic the configuration
+# changes that are driven from configure.ac (see the pcp_selinux_*
+# macro settings), and src/selinux/GNUlocaldefs (see the PCP_* macro
+# settings)
+# - otherwise lines in the block below come from
+# src/selinux/pcpupstream.te.in (after macro substitution)
+#
--- begin avrule block ---
decl 1:
allow [init_t] [pcp_log_t] : [dir] { read };
@@ -14,60 +25,65 @@ decl 1:
allow [init_t] [system_cronjob_t] : [dbus] { send_msg };
allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans };
allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
- allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read };
+! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map };
allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr };
allow [pcp_pmcd_t] self : [capability] { kill chown sys_chroot ipc_lock sys_resource };
- allow [pcp_pmcd_t] [nsfs_t] : [file] { open read };
- allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect };
- allow [pcp_pmcd_t] [svirt_lxc_net_t] : [dir] { open read search };
+! allow [pcp_pmcd_t] [nsfs_t] : [file] { open read };
+! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect };
allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
- allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans };
- allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { map };
+! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
- allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
- allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
+! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
+! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
+! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
allow [pcp_pmcd_t] [haproxy_var_lib_t] : [sock_file] { write };
allow [pcp_pmcd_t] [sysctl_fs_t] : [file] { write };
- allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map };
+! allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map };
allow [pcp_pmcd_t] [sysfs_t] : [dir] { write };
allow [pcp_pmcd_t] [modules_object_t] : [lnk_file] { read };
allow [pcp_pmcd_t] [mdadm_exec_t] : [file] { execute execute_no_trans open read };
+ allow [pcp_pmcd_t] [ndc_exec_t] : [file] { execute };
allow [pcp_pmcd_t] [proc_mdstat_t] : [file] { getattr open read };
- allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read };
+! allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read };
allow [pcp_pmcd_t] [glusterd_log_t] : [file] { open read write };
allow [pcp_pmcd_t] self : [process] { execmem setrlimit ptrace };
allow [pcp_pmcd_t] [sysctl_irq_t] : [dir] { search };
- allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run };
+! allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run };
allow [pcp_pmcd_t] [kernel_t] : [process] { signull };
+! allow [pcp_pmcd_t] self : [capability2] { syslog };
allow [pcp_pmcd_t] [kernel_t] : [system] { module_request };
allow [pcp_pmcd_t] [su_exec_t] : [file] { execute };
allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write };
- allow [pcp_pmlogger_t] self : [capability] { kill };
- allow [pcp_pmlogger_t] self : [capability] { sys_ptrace fowner fsetid };
+ allow [pcp_pmlogger_t] self : [capability] { kill sys_ptrace fowner fsetid };
allow [pcp_pmlogger_t] [unconfined_t] : [process] { signal };
allow [pcp_pmlogger_t] [unconfined_service_t] : [process] { signal };
allow [pcp_pmlogger_t] [user_tmp_t] : [file] { setattr unlink };
- allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map };
+ allow [pcp_pmlogger_t] [setfiles_exec_t] : [file] { execute };
+! allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map };
allow [pcp_pmie_t] self : [capability] { kill dac_override sys_ptrace net_admin chown fowner };
allow [pcp_pmie_t] [proc_net_t] : [file] { read };
- allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace };
+! allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace };
allow [pcp_pmie_t] [unconfined_t] : [process] { signal };
allow [pcp_pmie_t] [unconfined_service_t] : [process] { signal };
- allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search };
- allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read };
+ allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search write };
+ allow [pcp_pmcd_t] [configfs_t] : [file] { getattr ioctl open read };
allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr };
allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read };
allow [pcp_pmproxy_t] self : [capability] { dac_override net_admin };
allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read };
allow [pcp_pmproxy_t] [proc_net_t] : [file] { read };
- allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind };
+! allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind };
allow [pcp_pmmgr_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read };
- allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read };
- allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { map };
- allow [pcp_pmcd_t] [default_t] : [file] { execute map };
+ allow [pcp_pmmgr_t] self : [capability] { dac_override };
+! allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read map };
+! allow [pcp_pmcd_t] [default_t] : [file] { execute map };
allow [pcp_pmcd_t] self : [capability] { sys_rawio };
- allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl };
+! allow [pcp_pmcd_t] [rpm_var_lib_t] : [file] { map };
+! allow [pcp_pmcd_t] [virt_var_run_t] : [sock_file] { write };
+! allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl };
+! allow [pcp_domain] [non_security_file_type] : [dir] { open search getattr };
+! allow [pcp_domain] [non_security_file_type] : [dir] { open read search getattr lock ioctl };
allow [pcp_pmcd_t] [file_type] : [dir] { open read search getattr lock ioctl };
allow [pcp_pmcd_t] [file_type] : [dir] { open search getattr };
allow [pcp_pmcd_t] [file_type] : [file] { getattr ioctl lock open read };
@@ -93,6 +109,7 @@ decl 1:
allow [pcp_domain] [userdomain] : [sem] { unix_read associate getattr read };
allow [pcp_domain] [domain] : [unix_stream_socket] { connectto };
allow [pcp_domain] [port_type] : [tcp_socket] { name_connect };
+! allow [pcp_domain] [file_type] : [file] { map };
--- begin avrule block ---
decl 2:
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
diff -Naurp pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python
--- pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python 2018-09-18 16:41:15.000000000 +1000
+++ pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python 2020-04-01 15:30:14.403025868 +1100
@@ -323,6 +323,11 @@ class PCPBCCBase(object):
else:
return "0.5.0"
+ @staticmethod
+ def bcc_version_tuple():
+ """ Returns BCC version as an int tuple (for comparisons) """
+ return tuple(map(int, PCPBCCBase.bcc_version().split('.')))
+
def perf_buffer_poller(self):
""" BPF poller """
try:
@@ -365,7 +370,10 @@ class PCPBCCBase(object):
Compat: bcc < 0.6.0
source: https://github.com/iovisor/bcc/blame/master/src/python/bcc/__init__.py
"""
- return self.get_syscall_prefix() + name
+ if hasattr(self.bpf, 'get_syscall_fnname'):
+ return self.bpf.get_syscall_fnname(name)
+ else:
+ return self.get_syscall_prefix() + name
def get_kprobe_functions(self, event_re):
"""
diff -Naurp pcp-4.3.2.orig/src/selinux/GNUlocaldefs pcp-4.3.2/src/selinux/GNUlocaldefs
--- pcp-4.3.2.orig/src/selinux/GNUlocaldefs 2019-04-16 11:43:42.000000000 +1000
+++ pcp-4.3.2/src/selinux/GNUlocaldefs 2020-04-01 15:30:14.403025868 +1100
@@ -1,101 +1,68 @@
ifeq "$(PCP_SELINUX_CONTAINER_RUNTIME)" "true"
-PCP_CONTAINER_RUNTIME_T="type container_runtime_t\;"
-PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto\;"
+PCP_CONTAINER_RUNTIME_T="type container_runtime_t;"
+PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto;"
else
PCP_CONTAINER_RUNTIME_RULE=""
PCP_CONTAINER_RUNTIME_T=""
endif
ifeq "$(PCP_SELINUX_NSFS)" "true"
-PCP_NSFS_T="type nsfs_t\; \# filesys.used"
-PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open }\;"
+PCP_NSFS_T="type nsfs_t; \# filesys.used"
+PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open };"
endif
ifeq "$(PCP_SELINUX_DOCKER_VAR_LIB)" "true"
-PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t\;"
-PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search\;"
+PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t;"
+PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search;"
else
PCP_DOCKER_VAR_LIB_T=""
PCP_DOCKER_VAR_LIB_RULE=""
endif
-ifeq "$(PCP_SELINUX_SVIRT_LXC_NET)" "true"
-PCP_SVIRT_LXC_NET_T="type svirt_lxc_net_t\;"
-PCP_SVIRT_LXC_NET_RULE="allow pcp_pmcd_t svirt_lxc_net_t:dir { open read search }\;"
-endif
-
-ifeq "$(PCP_SELINUX_CLASS_STATUS)" "true"
-PCP_CLASS_STATUS="class system status\;"
-PCP_PMLOGGER_SYSTEM_STATUS_RULE="allow pcp_pmlogger_t init_t:system status\;"
-PCP_PMIE_SYSTEM_STATUS_RULE="allow pcp_pmie_t init_t:system status\;"
-endif
-
-ifeq "$(PCP_SELINUX_SYSTEMD_UNIT_FILE)" "true"
-PCP_SYSTEMCTL_UNIT_FILE_T="type systemd_unit_file_t\;"
-PCP_SYSTEMCTL_UNIT_FILE_RULE="allow pcp_pmie_t systemd_unit_file_t:file getattr\;"
-PCP_SYSTEMCTL_UNIT_DIR_RULE="allow pcp_pmie_t systemd_unit_file_t:dir search\;"
-endif
-
-ifeq "$(PCP_SELINUX_SYSTEMD_EXEC)" "true"
-PCP_SYSTEMCTL_EXEC_T="type systemd_systemctl_exec_t\;"
-PCP_SYSTEMCTL_EXEC_RULE="allow pcp_pmie_t systemd_systemctl_exec_t:file { execute execute_no_trans open read getattr }\;"
-endif
-
ifeq "$(PCP_SELINUX_CAP_USERNS_PTRACE)" "true"
-PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace\; \#pmdaproc"
-PCP_CAPUSERNS_PTRACE_RULE="allow pcp_pmcd_t self:cap_userns sys_ptrace\;"
-PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace\;"
+PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace; \# pmdaproc"
+PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace;"
endif
ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true"
-PCP_UNRESERVED_PORT="type unreserved_port_t\;"
-PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect }\;"
-PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind\;"
+PCP_UNRESERVED_PORT="type unreserved_port_t;"
+PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect };"
+PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind;"
endif
ifeq "$(PCP_SELINUX_TRACEFS)" "true"
-PCP_TRACEFS="type tracefs_t\;"
-PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;"
-PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;"
-PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write }\;"
-endif
-
-ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true"
-PCP_SOCK_FILE_GETATTR="class sock_file getattr\;"
-PCP_SOCK_FILE_GETATTR_RULE="allow pcp_pmcd_t gpmctl_t:sock_file getattr\;"
+PCP_TRACEFS="type tracefs_t;"
+PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount;"
+PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open };"
+PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write };"
endif
ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true"
-PCP_HOSTNAME_EXEC_MAP=" map "
-PCP_TMP_T_MAP_RULE="allow pcp_pmcd_t pcp_tmp_t:file map\;"
-PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map\;"
-PCP_FSADM_EXEC_MAP_RULE="allow pcp_pmcd_t fsadm_exec_t:file map\;"
-PCP_DEFAULT_T_MAP="allow pcp_pmcd_t default_t:file { map execute }\;"
+PCP_HOSTNAME_EXEC_MAP="map"
+PCP_TMP_MAP="map"
+PCP_FSADM_EXEC_MAP="map"
+PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map;"
+PCP_DEFAULT_MAP_RULE="allow pcp_pmcd_t default_t:file { map execute };"
endif
-ifeq "$(PCP_SELINUX_MOCK)" "true"
-PCP_MOCK_VAR_LIB="type mock_var_lib_t\;"
-PCP_MOCK_VAR_LIB_RULE="allow pcp_pmcd_t mock_var_lib_t:dir getattr\;"
+ifeq "$(PCP_SELINUX_FILES_MMAP_ALL_FILES)" "true"
+PCP_MMAP_ALL="files_mmap_all_files(pcp_domain);"
endif
ifeq "$(PCP_SELINUX_UNCONFINED)" "true"
-PCP_UNCONFINED_SERVICE="type unconfined_service_t\;"
-PCP_UNCONFINED_SERVICE_RULE="allow pcp_pmcd_t unconfined_service_t:sem { associate getattr }\;"
+PCP_UNCONFINED_SERVICE="type unconfined_service_t;"
+PCP_PMLOGGER_UNCONFINED_SERVICE_RULE="allow pcp_pmlogger_t unconfined_service_t:process signal;"
+PCP_PMIE_UNCONFINED_SERVICE_RULE="allow pcp_pmie_t unconfined_service_t:process signal;"
endif
ifeq "$(PCP_SELINUX_NUMAD)" "true"
-PCP_NUMAD_CONTEXT="type numad_t\;"
-PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read\;"
+PCP_NUMAD_CONTEXT="type numad_t;"
+PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read;"
endif
ifeq "$(PCP_SELINUX_BPF_STATUS)" "true"
-PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run }\;"
-PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run }\;"
-endif
-
-ifeq "$(PCP_SELINUX_WAP_PORT)" "true"
-PCP_WAP_PORT_CONTEXT="type wap_wsp_port_t\;"
-PCP_WAP_PORT_RULE="allow pcp_pmcd_t wap_wsp_port_t:tcp_socket name_connect\;"
+PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run };"
+PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run };"
endif
ifeq "$(PCP_SELINUX_FILES_LIST_NON_AUTH_DIRS)" "true"
@@ -103,3 +70,24 @@ PCP_SELINUX_MACRO_RULE="files_list_non_a
else
PCP_SELINUX_MACRO_RULE="files_list_non_security\(pcp_domain\)"
endif
+
+# need both type rpm_var_lib_t and permission map for this one
+#
+PCP_RPM_VAR_LIB_T=""
+PCP_RPM_VAR_LIB_RULE=""
+ifeq "$(PCP_SELINUX_RPM_VAR_LIB)" "true"
+ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true"
+PCP_RPM_VAR_LIB_T="type rpm_var_lib_t; \# pmdarpm"
+PCP_RPM_VAR_LIB_RULE="allow pcp_pmcd_t rpm_var_lib_t:file map;"
+endif
+endif
+
+ifeq "$(PCP_SELINUX_VIRT_VAR_RUN)" "true"
+PCP_VIRT_VAR_RUN_T="type virt_var_run_t; \# pmdalibvirt"
+PCP_VIRT_VAR_RUN_RULE="allow pcp_pmcd_t virt_var_run_t:sock_file write;"
+endif
+
+ifeq "$(PCP_SELINUX_CAP2_SYSLOG)" "true"
+PCP_CAP2_SYSLOG_CLASS="class capability2 { syslog };"
+PCP_CAP2_SYSLOG_RULE="allow pcp_pmcd_t self:capability2 syslog;"
+endif
diff -Naurp pcp-4.3.2.orig/src/selinux/GNUmakefile pcp-4.3.2/src/selinux/GNUmakefile
--- pcp-4.3.2.orig/src/selinux/GNUmakefile 2019-03-07 08:26:45.000000000 +1100
+++ pcp-4.3.2/src/selinux/GNUmakefile 2020-04-01 15:30:14.404025851 +1100
@@ -33,51 +33,43 @@ build-me: $(IAM).te selinux-setup.sh
$(IAM).te: $(IAM).te.in
$(SED) <$< >$@ \
- -e 's;@PCP_CONTAINER_RUNTIME_T@;'$(PCP_CONTAINER_RUNTIME_T)';' \
- -e 's;@PCP_CONTAINER_RUNTIME_RULE@;'$(PCP_CONTAINER_RUNTIME_RULE)';' \
- -e 's;@PCP_NSFS_T@;'$(PCP_NSFS_T)';' \
- -e 's;@PCP_NSFS_RULE@;'$(PCP_NSFS_RULE)';' \
- -e 's;@PCP_DOCKER_VAR_LIB_T@;'$(PCP_DOCKER_VAR_LIB_T)';' \
- -e 's;@PCP_DOCKER_VAR_LIB_RULE@;'$(PCP_DOCKER_VAR_LIB_RULE)';' \
- -e 's;@PCP_CLASS_STATUS@;'$(PCP_CLASS_STATUS)';' \
- -e 's;@PCP_PMLOGGER_SYSTEM_STATUS_RULE@;'$(PCP_PMLOGGER_SYSTEM_STATUS_RULE)';' \
- -e 's;@PCP_PMIE_SYSTEM_STATUS_RULE@;'$(PCP_PMIE_SYSTEM_STATUS_RULE)';' \
- -e 's;@PCP_SVIRT_LXC_NET_T@;'$(PCP_SVIRT_LXC_NET_T)';' \
- -e 's;@PCP_SVIRT_LXC_NET_RULE@;'$(PCP_SVIRT_LXC_NET_RULE)';' \
- -e 's;@PCP_SYSTEMCTL_UNIT_FILE_T@;'$(PCP_SYSTEMCTL_UNIT_FILE_T)';' \
- -e 's;@PCP_SYSTEMCTL_UNIT_FILE_RULE@;'$(PCP_SYSTEMCTL_UNIT_FILE_RULE)';' \
- -e 's;@PCP_SYSTEMCTL_UNIT_DIR_RULE@;'$(PCP_SYSTEMCTL_UNIT_DIR_RULE)';' \
- -e 's;@PCP_SYSTEMCTL_EXEC_T@;'$(PCP_SYSTEMCTL_EXEC_T)';' \
- -e 's;@PCP_SYSTEMCTL_EXEC_RULE@;'$(PCP_SYSTEMCTL_EXEC_RULE)';' \
- -e 's;@PCP_CAPUSERNS_PTRACE@;'$(PCP_CAPUSERNS_PTRACE)';' \
- -e 's;@PCP_CAPUSERNS_PTRACE_RULE@;'$(PCP_CAPUSERNS_PTRACE_RULE)';' \
- -e 's;@PCP_CAPUSERNS_PTRACE_RULE_PMIE@;'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)';' \
- -e 's;@PCP_UNRESERVED_PORT@;'$(PCP_UNRESERVED_PORT)';' \
- -e 's;@PCP_UNRESERVED_PORT_RULE@;'$(PCP_UNRESERVED_PORT_RULE)';' \
- -e 's;@PCP_UNRESERVED_PORT_RULE_PMMGR@;'$(PCP_UNRESERVED_PORT_RULE_PMMGR)';' \
- -e 's;@PCP_TRACEFS@;'$(PCP_TRACEFS)';' \
- -e 's;@PCP_TRACEFS_FS_RULE@;'$(PCP_TRACEFS_FS_RULE)';' \
- -e 's;@PCP_TRACEFS_DIR_RULE@;'$(PCP_TRACEFS_DIR_RULE)';' \
- -e 's;@PCP_TRACEFS_FILE_RULE@;'$(PCP_TRACEFS_FILE_RULE)';' \
- -e 's;@PCP_SOCK_FILE_GETATTR@;'$(PCP_SOCK_FILE_GETATTR)';' \
- -e 's;@PCP_SOCK_FILE_GETATTR_RULE@;'$(PCP_SOCK_FILE_GETATTR_RULE)';' \
- -e 's;@PCP_HOSTNAME_EXEC_MAP@;'$(PCP_HOSTNAME_EXEC_MAP)';' \
- -e 's;@PCP_TMP_T_MAP_RULE@;'$(PCP_TMP_T_MAP_RULE)';' \
- -e 's;@PCP_DEFAULT_T_MAP@;'$(PCP_DEFAULT_T_MAP)';' \
- -e 's;@PCP_LDCONFIG_EXEC_MAP_RULE@;'$(PCP_LDCONFIG_EXEC_MAP_RULE)';' \
- -e 's;@PCP_MOCK_VAR_LIB@;'$(PCP_MOCK_VAR_LIB)';' \
- -e 's;@PCP_MOCK_VAR_LIB_RULE@;'$(PCP_MOCK_VAR_LIB_RULE)';' \
- -e 's;@PCP_UNCONFINED_SERVICE@;'$(PCP_UNCONFINED_SERVICE)';' \
- -e 's;@PCP_UNCONFINED_SERVICE_RULE@;'$(PCP_UNCONFINED_SERVICE_RULE)';' \
- -e 's;@PCP_NUMAD_CONTEXT@;'$(PCP_NUMAD_CONTEXT)';' \
- -e 's;@PCP_NUMAD_RULE@;'$(PCP_NUMAD_RULE)';' \
- -e 's;@PCP_FSADM_EXEC_MAP_RULE@;'$(PCP_FSADM_EXEC_MAP_RULE)';' \
- -e 's;@PCP_BPF_STATUS_CLASS@;'$(PCP_BPF_STATUS_CLASS)';' \
- -e 's;@PCP_BPF_STATUS_RULE@;'$(PCP_BPF_STATUS_RULE)';' \
- -e 's;@PCP_WAP_PORT_CONTEXT@;'$(PCP_WAP_PORT_CONTEXT)';' \
- -e 's;@PCP_WAP_PORT_RULE@;'$(PCP_WAP_PORT_RULE)';' \
- -e 's;@PCP_SELINUX_MACRO_RULE@;'$(PCP_SELINUX_MACRO_RULE)';' \
- -e 's;@PACKAGE_VERSION@;'$(PACKAGE_VERSION)';' \
+ -e 's+@PCP_CONTAINER_RUNTIME_T@+'$(PCP_CONTAINER_RUNTIME_T)'+' \
+ -e 's+@PCP_CONTAINER_RUNTIME_RULE@+'$(PCP_CONTAINER_RUNTIME_RULE)'+' \
+ -e 's+@PCP_NSFS_T@+'$(PCP_NSFS_T)'+' \
+ -e 's+@PCP_NSFS_RULE@+'$(PCP_NSFS_RULE)'+' \
+ -e 's+@PCP_DOCKER_VAR_LIB_T@+'$(PCP_DOCKER_VAR_LIB_T)'+' \
+ -e 's+@PCP_DOCKER_VAR_LIB_RULE@+'$(PCP_DOCKER_VAR_LIB_RULE)'+' \
+ -e 's+@PCP_CAPUSERNS_PTRACE@+'$(PCP_CAPUSERNS_PTRACE)'+' \
+ -e 's+@PCP_CAPUSERNS_PTRACE_RULE_PMIE@+'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)'+' \
+ -e 's+@PCP_UNRESERVED_PORT@+'$(PCP_UNRESERVED_PORT)'+' \
+ -e 's+@PCP_UNRESERVED_PORT_RULE@+'$(PCP_UNRESERVED_PORT_RULE)'+' \
+ -e 's+@PCP_UNRESERVED_PORT_RULE_PMMGR@+'$(PCP_UNRESERVED_PORT_RULE_PMMGR)'+' \
+ -e 's+@PCP_TRACEFS@+'$(PCP_TRACEFS)'+' \
+ -e 's+@PCP_TRACEFS_FS_RULE@+'$(PCP_TRACEFS_FS_RULE)'+' \
+ -e 's+@PCP_TRACEFS_DIR_RULE@+'$(PCP_TRACEFS_DIR_RULE)'+' \
+ -e 's+@PCP_TRACEFS_FILE_RULE@+'$(PCP_TRACEFS_FILE_RULE)'+' \
+ -e 's+@PCP_HOSTNAME_EXEC_MAP@+'$(PCP_HOSTNAME_EXEC_MAP)'+' \
+ -e 's+@PCP_TMP_MAP@+'$(PCP_TMP_MAP)'+' \
+ -e 's+@PCP_DEFAULT_MAP_RULE@+'$(PCP_DEFAULT_MAP_RULE)'+' \
+ -e 's+@PCP_LDCONFIG_EXEC_MAP_RULE@+'$(PCP_LDCONFIG_EXEC_MAP_RULE)'+' \
+ -e 's+@PCP_UNCONFINED_SERVICE@+'$(PCP_UNCONFINED_SERVICE)'+' \
+ -e 's+@PCP_UNCONFINED_SERVICE_RULE@+'$(PCP_UNCONFINED_SERVICE_RULE)'+' \
+ -e 's+@PCP_PMIE_UNCONFINED_SERVICE_RULE@+'$(PCP_PMIE_UNCONFINED_SERVICE_RULE)'+' \
+ -e 's+@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@+'$(PCP_PMLOGGER_UNCONFINED_SERVICE_RULE)'+' \
+ -e 's+@PCP_NUMAD_CONTEXT@+'$(PCP_NUMAD_CONTEXT)'+' \
+ -e 's+@PCP_NUMAD_RULE@+'$(PCP_NUMAD_RULE)'+' \
+ -e 's+@PCP_FSADM_EXEC_MAP@+'$(PCP_FSADM_EXEC_MAP)'+' \
+ -e 's+@PCP_MMAP_ALL@+'$(PCP_MMAP_ALL)'+' \
+ -e 's+@PCP_BPF_STATUS_CLASS@+'$(PCP_BPF_STATUS_CLASS)'+' \
+ -e 's+@PCP_BPF_STATUS_RULE@+'$(PCP_BPF_STATUS_RULE)'+' \
+ -e 's+@PCP_RPM_VAR_LIB_T@+'$(PCP_RPM_VAR_LIB_T)'+' \
+ -e 's+@PCP_RPM_VAR_LIB_RULE@+'$(PCP_RPM_VAR_LIB_RULE)'+' \
+ -e 's+@PCP_VIRT_VAR_RUN_T@+'$(PCP_VIRT_VAR_RUN_T)'+' \
+ -e 's+@PCP_VIRT_VAR_RUN_RULE@+'$(PCP_VIRT_VAR_RUN_RULE)'+' \
+ -e 's+@PCP_CAP2_SYSLOG_CLASS@+'$(PCP_CAP2_SYSLOG_CLASS)'+' \
+ -e 's+@PCP_CAP2_SYSLOG_RULE@+'$(PCP_CAP2_SYSLOG_RULE)'+' \
+ -e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \
+ -e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \
# END
make -f /usr/share/selinux/devel/Makefile
diff -Naurp pcp-4.3.2.orig/src/selinux/pcpupstream.te.in pcp-4.3.2/src/selinux/pcpupstream.te.in
--- pcp-4.3.2.orig/src/selinux/pcpupstream.te.in 2019-04-26 09:34:21.000000000 +1000
+++ pcp-4.3.2/src/selinux/pcpupstream.te.in 2020-04-01 15:30:37.069633323 +1100
@@ -9,6 +9,7 @@ require {
type tmp_t;
type init_t;
type default_t;
+ type gpmctl_t;
type pcp_pmlogger_t;
type pcp_pmlogger_exec_t;
type pcp_var_lib_t;
@@ -33,13 +34,15 @@ require {
type sysctl_fs_t; #RHBZ1505888
type sysfs_t; #RHBZ1545245
type modules_object_t; # pcp.lio, pcp.bcc
+ type setfiles_exec_t;
type mdadm_exec_t;
+ type ndc_exec_t;
type proc_mdstat_t;
@PCP_NUMAD_CONTEXT@
type glusterd_log_t;
type sysctl_irq_t; #pmda.bcc
type unconfined_t; #RHBZ1443632
- type unconfined_service_t;
+ @PCP_UNCONFINED_SERVICE@
type configfs_t; #pcp.lio
type ldconfig_exec_t;
type sysctl_net_t;
@@ -49,19 +52,20 @@ require {
type kmsg_device_t;
type proc_kcore_t;
type su_exec_t;
+ @PCP_RPM_VAR_LIB_T@
+ @PCP_VIRT_VAR_RUN_T@
class sem { unix_read associate getattr read };
class lnk_file { read getattr };
class file { append create execute execute_no_trans getattr setattr ioctl lock open read write unlink @PCP_HOSTNAME_EXEC_MAP@ };
class dir { add_name open read search write getattr lock ioctl };
class unix_stream_socket connectto;
class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid };
+ @PCP_CAP2_SYSLOG_CLASS@
@PCP_CAPUSERNS_PTRACE@
class chr_file { open write };
class fifo_file { getattr read open unlink lock ioctl }; # qa/455
class process { signull signal execmem setrlimit ptrace }; #RHBZ1443632
- class sock_file write; #RHBZ1449671
- @PCP_SOCK_FILE_GETATTR@
- @PCP_CLASS_STATUS@
+ class sock_file { getattr write }; #RHBZ1449671, RHBZ1449671
class tcp_socket { name_bind name_connect };
class shm { unix_read associate getattr read };
class filesystem mount;
@@ -98,49 +102,24 @@ allow init_t system_cronjob_t:dbus send_
#============= pcp_pmcd_t ==============
-#type=AVC msg=audit(XXX.1): avc: denied { open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=dir permissive=0
-#allow pcp_pmcd_t svirt_sandbox_file_t:dir { open read search };
-
-#@PCP_SVIRT_LXC_NET_RULE@
-
-#type=AVC msg=audit(XXX.2): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
-#allow pcp_pmcd_t sysctl_net_t:dir search;
-
-#SYN AVC for testing
-#type=AVC msg=audit(XXX.3): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
-#allow pcp_pmcd_t sysctl_net_t:file { getattr open read };
#SYN AVC for testing
#type=AVC msg=audit(XXX.4): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
allow pcp_pmcd_t user_home_t:file { execute execute_no_trans };
-#type=AVC msg=audit(XXX.5): avc: denied { read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t debugfs_t:dir { read search };
-
#type=AVC msg=audit(XXX.6): avc: denied { append getattr ioctl open read write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0
allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };
#type=AVC msg=audit(XXX.7): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
-allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read };
+#type=AVC msg=audit(XXX.68): avc: denied { map } for pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
+allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read @PCP_HOSTNAME_EXEC_MAP@ };
#type=AVC msg=audit(XXX.8): avc: denied { getattr open read unlink } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=fifo_file permissive=0
allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131
-#type=AVC msg=audit(YYY.9): avc: denied { getattr } for pid=9375 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=13290 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
-#allow pcp_pmcd_t initctl_t:fifo_file getattr;
-
#type=AVC msg=audit(XXX.9): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=0
allow pcp_pmcd_t proc_kcore_t:file getattr;
-
-#type=AVC msg=audit(YYY.10): avc: denied { sys_ptrace } for pid=9375 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1
-#@PCP_CAPUSERNS_PTRACE_RULE@
-
-
-#type=AVC msg=audit(YYY.6): avc: denied { net_admin } for pid=2335 comm="pmcd" capability=12 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
-#type=AVC msg=audit(YYY.7): avc: denied { sys_ptrace } for pid=15205 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
-#type=AVC msg=audit(YYY.8): avc: denied { ipc_owner } for pid=21341 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
-#allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_lock ipc_owner chown kill sys_resource };
#type=AVC msg=audit(YYY.11): avc: denied { sys_chroot kill sys_resource } for pid=25873 comm="pmdalinux" capability=18 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
#type=AVC msg=audit(YYY.87): avc: denied { chown } for pid=8999 comm="pmdasimple" capability=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
allow pcp_pmcd_t self:capability { sys_chroot kill sys_resource ipc_lock chown };
@@ -149,10 +128,6 @@ allow pcp_pmcd_t self:capability { sys_c
#type=AVC msg=audit(YYY.12): avc: denied { read } for pid=29112 comm="pmdalinux" dev="nsfs" ino=4026532454 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
@PCP_NSFS_RULE@
-#type=AVC msg=audit(XXX.10): avc: denied { getattr read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=fifo_file permissive=0
-# allow pcp_pmcd_t pcp_log_t:fifo_file { getattr read open }; # qa/455
-
-
#type=AVC msg=audit(YYY.13): avc: denied { name_bind } for pid=7079 comm="pmdasimple" src=5650 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
#type=AVC msg=audit(YYY.14): avc: denied { name_connect } for pid=29238 comm="pmcd" dest=5650 scontex =system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
@PCP_UNRESERVED_PORT_RULE@
@@ -160,19 +135,9 @@ allow pcp_pmcd_t self:capability { sys_c
#type=AVC msg=audit(YYY.15): avc: denied { name_connect } for pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0
allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.prometheus
-#type=AVC msg=audit(YYY.16): avc: denied { unix_read } for pid=14552 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0
-#type=AVC msg=audit(YYY.17): avc: denied { getattr associate } for pid=8128 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0
-# allow pcp_pmcd_t unconfined_t:shm { unix_read associate getattr };
-
-#type=AVC msg=audit(YYY.18): avc: denied { read } for pid=16668 comm="pmdalogger" name="458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0
-#type=AVC msg=audit(YYY.19): avc: denied { getattr } for pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0
-#type=AVC msg=audit(YYY.20): avc: denied { open } for pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0
-#allow pcp_pmcd_t user_tmp_t:fifo_file { read getattr open };
-
#type=AVC msg=audit(YYY.21): avc: denied { execute } for pid=8648 comm="sh" name="8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.22): avc: denied { execute_no_trans } for pid=8648 comm="sh" path="/tmp/8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0
- allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans };
-@PCP_TMP_T_MAP_RULE@
+allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
#type=AVC msg=audit(YYY.23): avc: denied { getattr } for pid=8656 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
@@ -187,87 +152,39 @@ allow pcp_pmcd_t hostname_exec_t:file {
#type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
#type=AVC msg=audit(YYY.30): avc: denied { read } for pid=22090 comm="pmdaperfevent" name="events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
#type=AVC msg=audit(YYY.31): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
-# @PCP_TRACEFS_DIR_RULE@
+#type=AVC msg=audit(YYY.88): avc: denied { read } for pid=2023 comm="pmdakvm" name="kvm" dev="tracefs" ino=18541 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
+@PCP_TRACEFS_DIR_RULE@
#type=AVC msg=audit(YYY.32): avc: denied { read } for pid=22090 comm="pmdaperfevent" name="id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.33): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
@PCP_TRACEFS_FILE_RULE@
-#type=AVC msg=audit(XXX.11): avc: denied { getattr open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t gconf_home_t:dir { getattr open read search };
-
-#type=AVC msg=audit(XXX.12): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t virt_etc_t:dir search;
-
-#type=AVC msg=audit(XXX.13): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=0
-# allow pcp_pmcd_t virt_etc_t:file { read open };
-
-#type=AVC msg=audit(XXX.14): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virtd_t:s0 tclass=unix_stream_socket permissive=0
-# allow pcp_pmcd_t virtd_t:unix_stream_socket connectto;
-
-
-#type=AVC msg=audit(XXX.15): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t haproxy_var_lib_t:dir search;
+#type=AVC msg=audit(YYY.37): avc: denied { getattr } for pid=YYYY comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=19750 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
+allow pcp_pmcd_t gpmctl_t:sock_file getattr;
#type=AVC msg=audit(XXX.16): avc: denied { write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=sock_file permissive=0
allow pcp_pmcd_t haproxy_var_lib_t:sock_file write;
-#type=AVC msg=audit(XXX.17): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_t:s0 tclass=unix_stream_socket permissive=0
-# allow pcp_pmcd_t haproxy_t:unix_stream_socket connectto;
-
-
#type=AVC msg=audit(YYY.34): avc: denied { write } for pid=2967 comm="pmdaxfs" name="stats_clear" dev="proc" ino=87731 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
#RHBZ1505888
allow pcp_pmcd_t sysctl_fs_t:file write;
-#RHBZ1515928
-#RHBZ1449671
-#type=AVC msg=audit(XXX.18): avc: denied { getattr open search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t nfsd_fs_t:dir { getattr open search };
-
-#type=AVC msg=audit(XXX.19): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=file permissive=0
-# allow pcp_pmcd_t nfsd_fs_t:file { getattr open read };
-
-
-#RHBZ1517656
-# @PCP_SOCK_FILE_GETATTR_RULE@
-
-#RHBZ1517862
-#type=AVC msg=audit(XXX.20): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t postfix_spool_t:dir read;
-
-
-# @PCP_UNCONFINED_SERVICE_RULE@
-
-#type=AVC msg=audit(...): avc: denied { getattr } for pid=NNN comm="pmdalinux" path="/var/lib/mock" dev="dm-1" ino=917749 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=dir permissive=1
-# @PCP_MOCK_VAR_LIB_RULE@
-
#type=AVC msg=audit(...): avc: denied { map } for pid=NNN comm="ldconfig" path="/usr/sbin/ldconfig" dev="dm-1" ino=1052382 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
@PCP_LDCONFIG_EXEC_MAP_RULE@
-#RHBZ1488116
-#type=AVC msg=audit(XXX.21): avc: denied { unix_read associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=shm permissive=0
-# allow pcp_pmcd_t httpd_t:shm { unix_read associate getattr };
-
-#type=AVC msg=audit(XXX.22): avc: denied { unix_read associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=sem permissive=0
-# allow pcp_pmcd_t httpd_t:sem { unix_read associate getattr };
-
-
#RHBZ1545245
#type=AVC msg=audit(XXX.23): avc: denied { write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
allow pcp_pmcd_t sysfs_t:dir write;
-
# pmda.bcc
#type=AVC msg=audit(XXX.24): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=lnk_file permissive=0
allow pcp_pmcd_t modules_object_t:lnk_file read;
-#type=AVC msg=audit(XXX.25): avc: denied { open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t hugetlbfs_t:dir { open read };
-
#type=AVC msg=audit(XXX.26): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0
allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read };
+allow pcp_pmcd_t ndc_exec_t:file execute;
+
#type=AVC msg=audit(XXX.27): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=0
allow pcp_pmcd_t proc_mdstat_t:file { getattr open read };
@@ -275,93 +192,29 @@ allow pcp_pmcd_t proc_mdstat_t:file { ge
#type=AVC msg=audit(YYY.36): avc: denied { unix_read } for pid=1423 comm="pmdalinux" key=-559038737 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=msgq permissive=0
@PCP_NUMAD_RULE@
-
#type=AVC msg=audit(XXX.28): avc: denied { open read write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=file permissive=0
allow pcp_pmcd_t glusterd_log_t:file { open read write };
-#type=AVC msg=audit(XXX.29): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t glusterd_log_t:dir { search };
-
-#type=AVC msg=audit(XXX.30): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t glusterd_conf_t:dir { search };
-
-#type=AVC msg=audit(XXX.31): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_t:s0 tclass=unix_stream_socket permissive=0
-# allow pcp_pmcd_t glusterd_t:unix_stream_socket connectto;
-
-#type=AVC msg=audit(XXX.32): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t glusterd_var_lib_t:dir search;
-
-
-#RHBZ1565158, RHBZ1619383
-#type=AVC msg=audit(XXX.33): avc: denied { assocate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mozilla_plugin_t:s0 tclass=sem permissive=0
-# allow pcp_pmcd_t mozilla_plugin_t:sem { associate getattr unix_read };
-
-
#pmda.bcc
#type=AVC msg=audit(XXX.34): avc: denied { execmem setrlimit ptrace } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0
allow pcp_pmcd_t self:process { execmem setrlimit ptrace };
-#type=AVC msg=audit(YYY.37): avc: denied { read } for pid=16334 comm="python3" name="kallsyms" dev="proc" ino=4026532064 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1
-#allow pcp_pmcd_t system_map_t:file { ioctl open read };
-
#type=AVC msg=audit(XXX.35): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0
allow pcp_pmcd_t sysctl_irq_t:dir { search };
-
-#RHBZ1592901
-#type=AVC msg=audit(XXX.36): avc: denied { unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:init_t:s0 tclass=shm permissive=0
-# allow pcp_pmcd_t init_t:shm unix_read;
-
-
-#RHBZ1594991
-#type=AVC msg=audit(XXX.37): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpsd_t:s0 tclass=shm permissive=0
-# allow pcp_pmcd_t gpsd_t:shm { associate getattr unix_read };
-
-
-#type=AVC msg=audit(XXX.38): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
-# allow pcp_pmcd_t default_t:file getattr;
-
-
-#RHBZ1622253
-#type=AVC msg=audit(YYY.38): avc: denied { search } for pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
-#allow pcp_pmcd_t named_zone_t:dir search;
-
-#RHBZ1619381
-#type=AVC msg=audit(YYY.39): avc: denied { unix_read } for pid=1726 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=shm permissive=0
-#allow pcp_pmcd_t xdm_t:shm unix_read;
-
-#type=AVC msg=audit(XXX.39): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=sem permissive=0
-# allow pcp_pmcd_t postgresql_t:sem { associate getattr unix_read };
-
-#type=AVC msg=audit(XXX.40): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=shm permissive=0
-# allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read };
-
-
-#type=AVC msg=audit(...): avc: denied { connectto } for pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
-#allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto;
-
#RHBZ1633211, RHBZ1693332
@PCP_BPF_STATUS_RULE@
#type=AVC msg=audit(XXX.41): avc: denied { signull } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=process permissive=0
allow pcp_pmcd_t kernel_t:process signull;
+# pmda-bcc needs the ability to read addresses in /proc/kallsyms
+@PCP_CAP2_SYSLOG_RULE@
+
#RHBZ1690542
#type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
allow pcp_pmcd_t kernel_t:system module_request;
-#type=AVC msg=audit(XXX.42): avc: denied { associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:xdm_t:s0 tclass=shm permissive=0
-# allow pcp_pmcd_t xdm_t:shm { associate getattr };
-
-#type=AVC msg=audit(XXX.43): avc: denied { getattr search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t user_home_dir_t:dir { getattr search };
-
-#RHBZ1535522
-#type=AVC msg=audit(YYY.40): avc: denied { search } for pid=21371 comm="pmdalinux" name=".cache" dev="dm-0" ino=11796488 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=0
-#allow pcp_pmcd_t cache_home_t:dir search;
-
-# @PCP_WAP_PORT_RULE@
-
# type=AVC msg=audit(YYY.83): avc: denied { execute } for pid=19060 comm="zimbraprobe" name="su" dev="dm-0" ino=26416761 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
#pmdazimbra
allow pcp_pmcd_t su_exec_t:file { execute };
@@ -370,56 +223,21 @@ allow pcp_pmcd_t su_exec_t:file { execut
#type=AVC msg=audit(XXX.44): avc: denied { open write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
-#type=AVC msg=audit(XXX.45): avc: denied { kill } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
-allow pcp_pmlogger_t self:capability kill;
-
-# @PCP_PMLOGGER_SYSTEM_STATUS_RULE@
-
-#type=AVC msg=audit(YYY.41): avc: denied { write } for pid=18266 comm="logger" name="log" dev="devtmpfs" ino=1413 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
-# allow pcp_pmlogger_t devlog_t:sock_file write;
-
-#type=AVC msg=audit(YYY.42): avc: denied { read } for pid=26849 comm="logger" name="log" dev="devtmpfs" ino=1389 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0
-# allow pcp_pmlogger_t devlog_t:lnk_file read;
-
# type=AVC msg=audit(YYY.43): avc: denied { sys_ptrace } for pid=21962 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability
-# src/pmlogger/pmnewlog.sh
-allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid };
+#type=AVC msg=audit(XXX.45): avc: denied { kill } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
+allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid kill };
## type=AVC msg=audit(YYY.44) : avc: denied { signal } for pid=28414 comm=pmsignal scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
allow pcp_pmlogger_t unconfined_t:process signal;
## type=AVC msg=audit(YYY.85): avc: denied { signal } for pid=31205 comm="pmsignal" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
-allow pcp_pmlogger_t unconfined_service_t:process signal;
-
-#type=AVC msg=audit(YYY.45): avc: denied { execute_no_trans } for pid=6760 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1051023 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0
-# allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;
-
-#type=AVC msg=audit(YYY.46): avc: denied { name_connect } for pid=17604 comm="pmlc" dest=4330 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:dey_sapi_port_t:s0 tclass=tcp_socket
-# allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect;
-
-#type=AVC msg=audit(YYY.47): avc: denied { connectto } for pid=18025 comm="pmprobe" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
-# allow pcp_pmlogger_t unconfined_t:unix_stream_socket connectto;
-
-#RHBZ1488116
-#type=AVC msg=audit(YYY.48): avc: denied { search } for pid=18056 comm="ps" name="testuser" dev="dm-0" ino=539096275 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
-# allow pcp_pmlogger_t user_home_dir_t:dir search;
-
-#type=AVC msg=audit(XXX.46): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
-# allow pcp_pmlogger_t user_home_t:file { read open };
+@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@
#type=AVC msg=audit(XXX.68): avc: denied { setattr unlink } for pid=29153 comm="mv" name="pmlogger_check.log" dev="dm-0" ino=926794 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
allow pcp_pmlogger_t user_tmp_t:file { setattr unlink };
-#RHBZ1547066
-#type=AVC msg=audit(XXX.47): avc: denied { sendto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
-# allow pcp_pmlogger_t kernel_t:unix_dgram_socket sendto;
-
-#type=AVC msg=audit(XXX.48): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:home_bin_t:s0 tclass=dir permissive=0
-# allow pcp_pmlogger_t home_bin_t:dir search;
-
-#RHBZ1634205
-#type=AVC msg=audit(YYY.49): avc: denied { search } for pid=8613 comm="ps" name=".cache" dev="dm-0" ino=1277884 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0
-# allow pcp_pmlogger_t cache_home_t: dir search;
+#type=AVC msg=audit(XXX.72): avc: denied { execute } for pid=9634 comm="pmlogger_daily" name="setfiles" dev="dm-0" ino=34500334 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0
+allow pcp_pmlogger_t setfiles_exec_t:file execute;
#============= pcp_pmie_t ==============
#type=AVC msg=audit(XXX.49): avc: denied { execute execute_no_trans getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
@@ -429,77 +247,27 @@ allow pcp_pmie_t hostname_exec_t:file {
#type=AVC msg=audit(YYY.50): avc: denied { sys_ptrace } for pid=30881 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace };
-#type=AVC msg=audit(YYY.51) : avc: denied { connectto } for pid=8941 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
-# allow pcp_pmie_t init_t:unix_stream_socket connectto;
-
-#type=AVC msg=audit(YYY.52) : avc: denied { open } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
-#type=AVC msg=audit(YYY.53) : avc: denied { read } for pid=8939 comm=runlevel name=utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
-#type=AVC msg=audit(YYY.54) : avc: denied { lock } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
-# allow pcp_pmie_t initrc_var_run_t:file { lock open read };
-
-# @PCP_PMIE_SYSTEM_STATUS_RULE@
-
-#type=AVC msg=audit(YYY.55) : avc: denied { getattr } for pid=8870 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
-# @PCP_SYSTEMCTL_UNIT_FILE_RULE@
-
-#type=AVC msg=audit(YYY.56): avc: denied { search } for pid=30181 comm="pmie" name="system" dev="dm-1" ino=1182241 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=0
-#@PCP_SYSTEMCTL_UNIT_DIR_RULE@
-
-#type=AVC msg=audit(YYY.57) : avc: denied { read } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
-#type=AVC msg=audit(YYY.58) : avc: denied { execute } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
-#type=AVC msg=audit(YYY.59) : avc: denied { getattr } for pid=7004 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file
-#type=AVC msg=audit(YYY.60) : avc: denied { execute_no_trans } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
-#type=AVC msg=audit(YYY.61) : avc: denied { open } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
-#type=AVC msg=audit(YYY.62): avc: denied { getattr } for pid=13079 comm="which" path="/usr/bin/systemctl" dev="dm-1" ino=1078205 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0
-# @PCP_SYSTEMCTL_EXEC_RULE@
-
-#type=AVC msg=audit(YYY.63): avc: denied { connectto } for pid=12589 comm="pmie" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmie_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
-# allow pcp_pmie_t unconfined_t:unix_stream_socket connectto;
-
-#audit: type=1400 audit(YYY.64): avc: denied { execute_no_trans } for pid=3703 comm=pmie_check path=/usr/bin/pmie dev=dm-0 ino=2506240 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
-# allow pcp_pmie_t pcp_pmie_exec_t:file execute_no_trans;
-
#RHBZ1517656
#type=AVC msg=audit(XXX.50): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
allow pcp_pmie_t proc_net_t:file read;
-
-#type=AVC msg=audit(...): avc: denied { open } for pid=NNN comm="runlevel" path="/dev/kmsg" dev="devtmpfs" ino=1043 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
-# allow pcp_pmie_t kmsg_device_t:chr_file open;
-
-#RHBZ1533080
-#type=AVC msg=audit(XXX.51): avc: denied { signal } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0
-# allow pcp_pmie_t pcp_pmcd_t:process signal;
-
-
-#RHBZ1547066
-#type=AVC msg=audit(XXX.52): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
-# allow pcp_pmie_t init_exec_t:file getattr;
-
#RHBZ1635394
#type=AVC msg=audit(YYY.66): avc: denied { sys_ptrace } for pid=15683 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=cap_userns permissive=0
@PCP_CAPUSERNS_PTRACE_RULE_PMIE@
-#type=AVC msg=audit(XXX.53): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
-# allow pcp_pmie_t user_home_dir_t:dir search;
-
-#type=AVC msg=audit(XXX.54): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
-# allow pcp_pmie_t user_home_t:file { read open };
-
-
#RHBZ1623988
#type=AVC msg=audit(YYY.65): avc: denied { signal } for pid=3106 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
allow pcp_pmie_t unconfined_t:process signal;
## type=AVC msg=audit(YYY.86): avc: denied { signal } for pid=23951 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
-allow pcp_pmie_t unconfined_service_t:process signal;
+@PCP_PMIE_UNCONFINED_SERVICE_RULE@
#============= pmda-lio ==============
-#type=AVC msg=audit(XXX.55): avc: denied { open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
-allow pcp_pmcd_t configfs_t:dir { open read search };
+#type=AVC msg=audit(XXX.55): avc: denied { open read search write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
+allow pcp_pmcd_t configfs_t:dir { open read search write };
-#type=AVC msg=audit(XXX.56): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0
-allow pcp_pmcd_t configfs_t:file { getattr open read };
+#type=AVC msg=audit(XXX.56): avc: denied { getattr ioctl open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0
+allow pcp_pmcd_t configfs_t:file { getattr ioctl open read };
#type=AVC msg=audit(XXX.57): avc: denied { getattr read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=lnk_file permissive=0
allow pcp_pmcd_t configfs_t:lnk_file { getattr read };
@@ -507,23 +275,6 @@ allow pcp_pmcd_t configfs_t:lnk_file { g
#type=AVC msg=audit(XXX.58): avc: denied { execute execute_no_trans getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
allow pcp_pmcd_t ldconfig_exec_t:file { execute execute_no_trans getattr open read };
-
-#type=AVC msg=audit(XXX.59): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t modules_conf_t:dir { getattr open read };
-
-#type=AVC msg=audit(XXX.60): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0
-# allow pcp_pmcd_t modules_conf_t:file { getattr open read };
-
-#type=AVC msg=audit(XXX.61): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0
-# allow pcp_pmcd_t modules_object_t:dir search;
-
-#type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0
-# allow pcp_pmcd_t modules_object_t:file { getattr open read };
-
-#type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0
-# allow pcp_pmcd_t saslauthd_t:unix_stream_socket connectto;
-
-
#============= pcp_pmproxy_t ==============
#type=AVC msg=audit(YYY.67) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability
allow pcp_pmproxy_t self:capability { net_admin dac_override };
@@ -533,9 +284,6 @@ allow pcp_pmproxy_t self:capability { ne
#type=AVC msg=audit(YYY.70) : avc: denied { getattr } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
allow pcp_pmproxy_t sysctl_net_t:file { getattr open read };
-#type=AVC msg=audit(YYY.71): avc: denied { search } for pid=14446 comm="pmproxy" name="net" dev="proc" ino=1168 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
-# allow pcp_pmproxy_t sysctl_net_t:dir search;
-
#type=AVC msg=audit(YYY.72): avc: denied { read } for pid=28833 comm="pmproxy" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
#RHBZ1517656
allow pcp_pmproxy_t proc_net_t:file read;
@@ -545,14 +293,11 @@ allow pcp_pmproxy_t proc_net_t:file read
#type=AVC msg=audit(YYY.73): avc: denied { name_bind } for pid=13114 comm="pmlogger" src=4332 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
@PCP_UNRESERVED_PORT_RULE_PMMGR@
-#type=AVC msg=audit(YYY.74): avc: denied { connectto } for pid=16715 comm="pmmgr" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
-# allow pcp_pmmgr_t unconfined_t:unix_stream_socket connectto;
#type=AVC msg=audit(XXX.64): avc: denied { execute execute_no_trans open read getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
allow pcp_pmmgr_t ldconfig_exec_t:file { execute execute_no_trans open read getattr };
-#type=AVC msg=audit(XXX.65): avc: denied { name_connect } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket permissive=0
-# allow pcp_pmmgr_t zabbix_port_t:tcp_socket name_connect;
-
+#type=AVC msg=audit(XXX.69): avc: denied { dac_override } for pid=3767 comm="pmmgr" capability=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:system_r:pcp_pmmgr_t:s0 tclass=capability permissive=0
+allow pcp_pmmgr_t self:capability dac_override;
#============= pmda-smart ==============
@@ -564,23 +309,25 @@ allow pcp_pmmgr_t ldconfig_exec_t:file {
#type=AVC msg=audit(YYY.80): avc: denied { map } for pid=8678 comm="smartctl" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
#type=AVC msg=audit(YYY.81): avc: denied { sys_rawio } for pid=8678 comm="smartctl" capability=17 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
-allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read };
-@PCP_FSADM_EXEC_MAP_RULE@
+allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read @PCP_FSADM_EXEC_MAP@ };
#============= pmda-nvidia ==============
#type=AVC msg=audit(YYY.83): avc: denied { map } for pid=7034 comm="pmdanvidia" path="/usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.84): avc: denied { execute } for pid=19828 comm="pmdanvidia" path="//usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
-@PCP_DEFAULT_T_MAP@
+@PCP_DEFAULT_MAP_RULE@
#type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0
allow pcp_pmcd_t self:capability sys_rawio;
+#============= pmda-rpm ==============
+#type=AVC msg=audit(YYY.89): avc: denied { map } for pid=4969 comm="pmdarpm" path="/var/lib/rpm/Name" dev="dm-0" ino=519186 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=0
+@PCP_RPM_VAR_LIB_RULE@
+
+#============= pmda-libvirt ==============
+#type=AVC msg=audit(YYY.90): avc: denied { write } for pid=30922 comm="python3" name="libvirt-sock-ro" dev="tmpfs" ino=25845 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=0
+@PCP_VIRT_VAR_RUN_RULE@
-#============= pmda-redis ==============
-#type=AVC msg=audit(YYY.82): avc: denied { name_connect } for pid=15299 comm="pmdaredis" dest=6379 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0
-# allow pcp_pmcd_t redis_port_t:tcp_socket name_connect;
-
-# allow pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type
+# permit pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type
@PCP_SELINUX_MACRO_RULE@
files_read_all_files(pcp_pmcd_t)
files_read_all_files(pcp_pmie_t)
@@ -591,14 +338,17 @@ files_read_all_files(pcp_pmwebd_t)
allow pcp_domain file_type:fifo_file read_fifo_file_perms;
-# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
+# permit pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
allow pcp_domain domain:shm r_sem_perms;
allow pcp_domain domain:sem r_shm_perms;
allow pcp_domain userdomain:shm r_sem_perms;
allow pcp_domain userdomain:sem r_shm_perms;
-# allow pcp_domain stream connect to all domains
+# permit pcp_domain stream connect to all domains
allow pcp_domain domain:unix_stream_socket connectto;
-# allow pcp_domain to connect to all ports.
+# permit pcp_domain to connect to all ports.
corenet_tcp_connect_all_ports(pcp_domain)
+
+# all pcp_domain read access to all maps
+@PCP_MMAP_ALL@
diff -Naurp pcp-4.3.2.orig/src/selinux/README pcp-4.3.2/src/selinux/README
--- pcp-4.3.2.orig/src/selinux/README 2019-04-09 10:48:01.000000000 +1000
+++ pcp-4.3.2/src/selinux/README 2020-04-01 15:30:14.404025851 +1100
@@ -55,6 +55,22 @@ rather than the singular form
as reported by audit2allow -m.
+Also, some of the "require" elements may be optional (not supported
+on all versions of selinux), so watch out for things like
+
+ @PCP_TRACEFS@
+
+which becomes
+
+ type tracefs_t;
+
+or
+
+ <nothing>
+
+and the corresponding conditional rules, like @PCP_TRACEFS_FS_RULE@,
+@PCP_TRACEFS_DIR_RULE@ and @PCP_TRACEFS_FILE_RULE@
+
Now go further down src/selinux/pcpupstream.te.in and add the
"allow" clause from audit2allow -m, prefixed by the full text of
the matching AVC line from audit.log as a comment, so something like: