Blob Blame History Raw
BZ 1790452 - Installation of pcp-pmda-samba causes SELinux issues
73772a60f selinux: fix pmdasamba(1) operating with selinux enforcing

--- a/qa/917.out.in	2020-05-19 20:34:46.000000000 +1000
+++ pcp-5.1.1/qa/917.out.in	2020-06-22 17:29:14.346713826 +1000
@@ -34,6 +34,8 @@
 ! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect };
 ! allow [pcp_pmcd_t] [unreserved_port_t] : [udp_socket] { name_bind };
 ! allow [pcp_pmlogger_t] [unreserved_port_t] : [tcp_socket] { name_bind };
+  allow [pcp_pmcd_t] [samba_var_t] : [dir] { add_name write };
+  allow [pcp_pmcd_t] [samba_var_t] : [file] { create };
   allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
 ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
   allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
--- a/src/pmdas/samba/pmdasamba.pl	2020-02-04 14:51:57.000000000 +1100
+++ pcp-5.1.1/src/pmdas/samba/pmdasamba.pl	2020-06-22 17:29:14.346713826 +1000
@@ -41,6 +41,7 @@
 	$pmda->err("pmdasamba failed to open $smbstats pipe: $!");
 
     while (<STATS>) {
+	$_ =~ s/"//g;
 	if (m/^\*\*\*\*\s+(\w+[^*]*)\**$/) {
 	    my $heading = $1;
 	    $heading =~ s/ +$//g;
--- a/src/selinux/pcpupstream.te.in	2020-05-19 20:34:32.000000000 +1000
+++ pcp-5.1.1/src/selinux/pcpupstream.te.in	2020-06-22 17:29:14.347713837 +1000
@@ -22,6 +22,7 @@
 	type pcp_pmie_exec_t; # pmda.summary
 	type ping_exec_t; # pmda.netcheck
 	type openvswitch_exec_t; # pmda.openvswitch
+	type samba_var_t; # pmda.samba
 	type websm_port_t; # pmda.openmetrics
         type system_cronjob_t;
         type user_home_t;
@@ -151,6 +152,10 @@
 #type=AVC msg=audit(YYY.94): avc: denied { name_bind } for pid=9365 comm=pmlogger src=4332 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
 @PCP_UNRESERVED_PORT_RULE_PMLOGGER@
 
+#type=AVC msg=audit(YYY.97): avc: denied { write } for pid=3507787 comm="smbstatus" name="msg.lock" dev="dm-0" ino=283321 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0
+allow pcp_pmcd_t samba_var_t:dir { add_name write }; # pmda.samba
+allow pcp_pmcd_t samba_var_t:file { create }; # pmda.samba
+
 #type=AVC msg=audit(YYY.15): avc:  denied  { name_connect } for  pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0
 allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.openmetrics