commit 8f75ee909cb751a1cc6b3988c5ba5476ca237de1
Author: Lukas Berk <lberk@redhat.com>
Date:   Tue Oct 24 10:23:42 2017 -0400

    selinux: rhbz1505888 - A pmstore command is blocked by SELinux
    
    Add to policy file, update testcase 917

diff --git a/qa/917.out.in b/qa/917.out.in
index b0073c23f..a8c337964 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -43,6 +43,7 @@ decl 1:
   allow [pcp_pmcd_t] [haproxy_var_lib_t] : [dir] { search };
   allow [pcp_pmcd_t] [haproxy_var_lib_t] : [sock_file] { write };
   allow [pcp_pmcd_t] [haproxy_t] : [unix_stream_socket] { connectto };
+  allow [pcp_pmcd_t] [sysctl_fs_t] : [file] { write };
   allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write };
   allow [pcp_pmlogger_t] self : [capability] { kill };
   allow [pcp_pmlogger_t] [init_t] : [system] { status };
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index f070e6024..5f48533c1 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -19,6 +19,7 @@ require {
 	type pcp_pmmgr_t;
 	type pcp_tmp_t;
 	type sysctl_net_t;
+	type sysctl_fs_t; #RHBZ1505888
 	type svirt_sandbox_file_t;
 	@PCP_SVIRT_LXC_NET_T@
 	type virtd_t; # pmda.libvirt
@@ -163,6 +164,11 @@ allow pcp_pmcd_t virtd_t:unix_stream_socket connectto;
 allow pcp_pmcd_t haproxy_var_lib_t:dir search;
 allow pcp_pmcd_t haproxy_var_lib_t:sock_file write;
 allow pcp_pmcd_t haproxy_t:unix_stream_socket connectto;
+
+#type=AVC msg=audit(1508779244.425:386): avc:  denied  { write } for  pid=2967 comm="pmdaxfs" name="stats_clear" dev="proc" ino=87731 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
+#RHBZ1505888
+allow pcp_pmcd_t sysctl_fs_t:file write;
+
 #============= pcp_pmlogger_t ==============
 allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
 allow pcp_pmlogger_t self:capability kill;