rpms / pcp

Clone
Source Code
GIT

Files

  1.   e09dc7a33148ffa1c252a10561283b4b90f2784f
  2.   SOURCES
  3.   redhat-bugzilla-1603596.patch
Blob Blame History Raw 
diff -Naurp pcp-4.1.0-orig/qa/1141 pcp-4.1.0/qa/1141
--- pcp-4.1.0-orig/qa/1141	2017-12-18 09:31:30.000000000 +1100
+++ pcp-4.1.0/qa/1141	2018-09-05 08:46:05.578019776 +1000
@@ -17,6 +17,8 @@ policy_name="pcpqaqaqaqa"
 policy_file="$PCP_VAR_DIR/selinux/pcpupstream.pp"
 which sedismod >/dev/null 2>&1 || _notrun "sedismod tool not installed (module disassembly)"
 which semodule >/dev/null 2>&1 || _notrun "semodule tool not installed"
+$sudo semodule -l >/dev/null 2>&1
+[ $? -eq 0 ] || _notrun "semodule -l fails"
 which seinfo >/dev/null 2>&1 || _notrun "seinfo tool not installed"
 [ -f "$policy_file" ] || _notrun "upstream policy package not installed"
 #if a matching module is already installed
diff -Naurp pcp-4.1.0-orig/qa/917.out.in pcp-4.1.0/qa/917.out.in
--- pcp-4.1.0-orig/qa/917.out.in	2018-05-09 07:50:53.000000000 +1000
+++ pcp-4.1.0/qa/917.out.in	2018-09-05 08:46:47.973426601 +1000
@@ -16,11 +16,11 @@ decl 1:
   allow [pcp_pmcd_t] [sysctl_net_t] : [dir] { search };
   allow [pcp_pmcd_t] [sysctl_net_t] : [file] { getattr open read };
   allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans open read };
-  allow [pcp_pmcd_t] [debugfs_t] : [dir] { read };
-  allow [pcp_pmcd_t] [debugfs_t] : [file] { getattr ioctl open read };
+  allow [pcp_pmcd_t] [debugfs_t] : [dir] { read search };
+  allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
   allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read };
   allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
-  allow [pcp_pmcd_t] self : [capability] { kill sys_ptrace net_admin chown ipc_owner sys_resource };
+  allow [pcp_pmcd_t] self : [capability] { kill sys_ptrace net_admin chown ipc_lock ipc_owner sys_resource };
   allow [pcp_pmcd_t] [initctl_t] : [fifo_file] { getattr };
   allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr };
   allow [pcp_pmcd_t] self : [cap_userns] { sys_ptrace };
@@ -36,8 +36,8 @@ decl 1:
   allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
   allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
   allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
-  allow [pcp_pmcd_t] [tracefs_t] : [file] { append open read };
-  allow [pcp_pmcd_t] [gconf_home_t] : [dir] { search };
+  allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
+  allow [pcp_pmcd_t] [gconf_home_t] : [dir] { open read search getattr };
   allow [pcp_pmcd_t] [virt_etc_t] : [dir] { search };
   allow [pcp_pmcd_t] [virt_etc_t] : [file] { open read };
   allow [pcp_pmcd_t] [virtd_t] : [unix_stream_socket] { connectto };
@@ -55,6 +55,7 @@ decl 1:
   allow [pcp_pmcd_t] [httpd_t] : [shm] { unix_read associate getattr };
   allow [pcp_pmcd_t] [httpd_t] : [sem] { unix_read associate getattr };
   allow [pcp_pmcd_t] [sysfs_t] : [dir] { write };
+  allow [pcp_pmcd_t] [modules_object_t] : [lnk_file] { read };
   allow [pcp_pmcd_t] [hugetlbfs_t] : [dir] { open read };
   allow [pcp_pmcd_t] [mdadm_exec_t] : [file] { execute execute_no_trans open read };
   allow [pcp_pmcd_t] [proc_mdstat_t] : [file] { getattr open read };
@@ -65,6 +66,12 @@ decl 1:
   allow [pcp_pmcd_t] [glusterd_t] : [unix_stream_socket] { connectto };
   allow [pcp_pmcd_t] [glusterd_var_lib_t] : [dir] { search };
   allow [pcp_pmcd_t] [mozilla_plugin_t] : [sem] { unix_read };
+  allow [pcp_pmcd_t] self : [process] { execmem setrlimit };
+  allow [pcp_pmcd_t] [system_map_t] : [file] { ioctl open read };
+  allow [pcp_pmcd_t] [sysctl_irq_t] : [dir] { search };
+  allow [pcp_pmcd_t] [init_t] : [shm] { unix_read };
+  allow [pcp_pmcd_t] [gpsd_t] : [shm] { associate getattr };
+  allow [pcp_pmcd_t] [default_t] : [file] { getattr };
   allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write };
   allow [pcp_pmlogger_t] self : [capability] { kill };
   allow [pcp_pmlogger_t] [init_t] : [system] { status };
@@ -74,10 +81,12 @@ decl 1:
   allow [pcp_pmlogger_t] [unconfined_t] : [process] { signal };
   allow [pcp_pmlogger_t] [pcp_pmlogger_exec_t] : [file] { execute_no_trans };
   allow [pcp_pmlogger_t] [dey_sapi_port_t] : [tcp_socket] { name_connect };
+  allow [pcp_pmlogger_t] [unconfined_t] : [unix_stream_socket] { connectto };
   allow [pcp_pmlogger_t] [user_home_dir_t] : [dir] { search };
   allow [pcp_pmlogger_t] [kernel_t] : [unix_dgram_socket] { sendto };
+  allow [pcp_pmlogger_t] [home_bin_t] : [dir] { search };
   allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map };
-  allow [pcp_pmie_t] self : [capability] { kill sys_ptrace net_admin chown };
+  allow [pcp_pmie_t] self : [capability] { kill dac_override sys_ptrace net_admin chown fowner };
   allow [pcp_pmie_t] [init_t] : [unix_stream_socket] { connectto };
   allow [pcp_pmie_t] [initrc_var_run_t] : [file] { lock open read };
   allow [pcp_pmie_t] [init_t] : [system] { status };
@@ -89,6 +98,7 @@ decl 1:
   allow [pcp_pmie_t] [kmsg_device_t] : [chr_file] { open };
   allow [pcp_pmie_t] [pcp_pmcd_t] : [process] { signal };
   allow [pcp_pmie_t] [init_exec_t] : [file] { getattr };
+  allow [pcp_pmie_t] [user_home_dir_t] : [dir] { search };
   allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search };
   allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read };
   allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr };
@@ -98,7 +108,7 @@ decl 1:
   allow [pcp_pmcd_t] [modules_object_t] : [dir] { search };
   allow [pcp_pmcd_t] [modules_object_t] : [file] { getattr open read };
   allow [pcp_pmcd_t] [saslauthd_t] : [unix_stream_socket] { connectto };
-  allow [pcp_pmproxy_t] self : [capability] { net_admin };
+  allow [pcp_pmproxy_t] self : [capability] { dac_override net_admin };
   allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read };
   allow [pcp_pmproxy_t] [sysctl_net_t] : [dir] { search };
   allow [pcp_pmproxy_t] [proc_net_t] : [file] { read };
@@ -109,4 +119,5 @@ decl 1:
   allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read };
   allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { map };
   allow [pcp_pmcd_t] self : [capability] { sys_rawio };
+  allow [pcp_pmcd_t] [redis_port_t] : [tcp_socket] { name_connect };
 
diff -Naurp pcp-4.1.0-orig/src/pmlogger/pmlogger_check.sh pcp-4.1.0/src/pmlogger/pmlogger_check.sh
--- pcp-4.1.0-orig/src/pmlogger/pmlogger_check.sh	2018-06-12 20:18:14.000000000 +1000
+++ pcp-4.1.0/src/pmlogger/pmlogger_check.sh	2018-09-05 08:47:39.165710353 +1000
@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# Copyright (c) 2013-2016 Red Hat.
+# Copyright (c) 2013-2016,2018 Red Hat.
 # Copyright (c) 1995-2000,2003 Silicon Graphics, Inc.  All Rights Reserved.
 # 
 # This program is free software; you can redistribute it and/or modify it
@@ -160,6 +160,13 @@ then
     exit
 fi
 
+_compress_now()
+{
+    # If $PCP_COMPRESSAFTER=0 in the control file(s), compress archives now.
+    # Invoked just before exit when this script has finished successfully.
+    $PCP_BINADM_DIR/pmlogger_daily -K $daily_args
+}
+
 # after argument checking, everything must be logged to ensure no mail is
 # accidentally sent from cron.  Close stdout and stderr, then open stdout
 # as our logfile and redirect stderr there too.
@@ -175,10 +182,13 @@ else
     _save_prev_file "$PROGLOG"
     # After argument checking, everything must be logged to ensure no mail is
     # accidentally sent from cron.  Close stdout and stderr, then open stdout
-    # as our logfile and redirect stderr there too.
+    # as our logfile and redirect stderr there too.  Create the log file with
+    # correct ownership first.
     #
-    # Exception is for -N where we want to see the output
+    # Exception ($SHOWME, above) is for -N where we want to see the output.
     #
+    touch "$PROGLOG"
+    chown $PCP_USER:$PCP_GROUP "$PROGLOG" >/dev/null 2>&1
     exec 1>"$PROGLOG" 2>&1
 fi
 
@@ -219,11 +229,19 @@ fi
 
 if [ $STOP_PMLOGGER = true ]
 then
-    # if pmlogger has never been started, there's no work to do to stop it
-    [ ! -d "$PCP_TMP_DIR/pmlogger" ] && exit
+    # if pmlogger hasn't been started, there's no work to do to stop it
+    # but we still want to compress existing logs, if any
+    if [ ! -d "$PCP_TMP_DIR/pmlogger" ]
+    then
+    	_compress_now
+	exit
+    fi
     $QUIETLY || $PCP_BINADM_DIR/pmpost "stop pmlogger from $prog"
 elif [ $START_PMLOGGER = false ]
 then
+    # if we're not going to start pmlogger, there is no work to do other
+    # than compress existing logs, if any.
+    _compress_now
     exit
 fi
 
@@ -964,10 +982,8 @@ then
     fi
 fi
 
-# and if $PCP_COMPRESSAFTER=0 in the control file(s), compress archives now ...
-#
-$PCP_BINADM_DIR/pmlogger_daily -K $daily_args
-
+# Prior to exiting we compress existing logs, if any. See pmlogger_daily -K
+_compress_now
 
 [ -f $tmp/err ] && status=1
 exit
diff -Naurp pcp-4.1.0-orig/src/selinux/GNUlocaldefs pcp-4.1.0/src/selinux/GNUlocaldefs
--- pcp-4.1.0-orig/src/selinux/GNUlocaldefs	2018-05-08 09:38:33.000000000 +1000
+++ pcp-4.1.0/src/selinux/GNUlocaldefs	2018-09-05 08:45:27.409553808 +1000
@@ -44,6 +44,7 @@ endif
 ifeq "$(PCP_SELINUX_CAP_USERNS_PTRACE)" "true"
 PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace\; \#pmdaproc"
 PCP_CAPUSERNS_PTRACE_RULE="allow pcp_pmcd_t self:cap_userns sys_ptrace\;"
+PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace\;"
 endif
 
 ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true"
@@ -56,7 +57,7 @@ ifeq "$(PCP_SELINUX_TRACEFS)" "true"
 PCP_TRACEFS="type tracefs_t\;"
 PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;"
 PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;"
-PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { read open append }\;"
+PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write }\;"
 endif
 
 ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true"
diff -Naurp pcp-4.1.0-orig/src/selinux/GNUmakefile pcp-4.1.0/src/selinux/GNUmakefile
--- pcp-4.1.0-orig/src/selinux/GNUmakefile	2018-06-04 16:09:25.000000000 +1000
+++ pcp-4.1.0/src/selinux/GNUmakefile	2018-09-05 08:45:27.409553808 +1000
@@ -51,6 +51,7 @@ $(IAM).te: $(IAM).te.in
 		-e 's;@PCP_SYSTEMCTL_EXEC_RULE@;'$(PCP_SYSTEMCTL_EXEC_RULE)';' \
 		-e 's;@PCP_CAPUSERNS_PTRACE@;'$(PCP_CAPUSERNS_PTRACE)';' \
 		-e 's;@PCP_CAPUSERNS_PTRACE_RULE@;'$(PCP_CAPUSERNS_PTRACE_RULE)';' \
+		-e 's;@PCP_CAPUSERNS_PTRACE_RULE_PMIE@;'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)';' \
 		-e 's;@PCP_UNRESERVED_PORT@;'$(PCP_UNRESERVED_PORT)';' \
 		-e 's;@PCP_UNRESERVED_PORT_RULE@;'$(PCP_UNRESERVED_PORT_RULE)';' \
 		-e 's;@PCP_UNRESERVED_PORT_RULE_PMMGR@;'$(PCP_UNRESERVED_PORT_RULE_PMMGR)';' \
diff -Naurp pcp-4.1.0-orig/src/selinux/pcpupstream.te.in pcp-4.1.0/src/selinux/pcpupstream.te.in
--- pcp-4.1.0-orig/src/selinux/pcpupstream.te.in	2018-05-09 07:50:53.000000000 +1000
+++ pcp-4.1.0/src/selinux/pcpupstream.te.in	2018-09-05 08:45:27.410553794 +1000
@@ -29,13 +29,13 @@ require {
 	type configfs_t; # pcp-lio
 	type modules_conf_t; # pcp-lio
 	type saslauthd_t; # pcp-lio
-	type modules_object_t; # pcp-lio
+	type modules_object_t; # pcp-lio, pcp.bcc
 	@PCP_NSFS_T@
 	type nfsd_fs_t; #RHBZ1515928
 	type pcp_pmie_exec_t; # pmdasummary
 	@PCP_SYSTEMCTL_UNIT_FILE_T@
 	@PCP_SYSTEMCTL_EXEC_T@
-	type debugfs_t; # pmdalibvirt
+	type debugfs_t; # pmdalibvirt pmda.gfs2 pmda.bcc
 	type unconfined_t; #RHBZ1443632
 	type devlog_t; #RHBZ1449671
 	@PCP_UNRESERVED_PORT@
@@ -53,6 +53,7 @@ require {
 	@PCP_MOCK_VAR_LIB@
 	type ldconfig_exec_t;
 	type httpd_t;
+	type redis_port_t;
 	type zabbix_port_t;
 	type sysfs_t; #RHBZ1545245
 	type hugetlbfs_t;
@@ -68,12 +69,18 @@ require {
         type kernel_t;
         type mozilla_plugin_t;
         type fsadm_exec_t;
+        type tracefs_t; # pmda.gfs2
+        type system_map_t; # pmda.bcc
+        type sysctl_irq_t; # pmda.bcc
+        type gpsd_t; #RHBZ1594991
+        type default_t;
+        type home_bin_t;
         class sem { unix_read associate getattr };
 	class lnk_file { read getattr };
 	class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ };
 	class dir { add_name open read search write getattr };
 	class unix_stream_socket connectto;
-	class capability { kill sys_ptrace net_admin chown sys_chroot ipc_owner sys_resource fowner sys_rawio fsetid };
+	class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid };
 	@PCP_CAPUSERNS_PTRACE@
 	class chr_file { open write };
 	class fifo_file { getattr read open unlink }; # qa/455
@@ -117,19 +124,18 @@ allow pcp_pmcd_t svirt_sandbox_file_t:di
 allow pcp_pmcd_t sysctl_net_t:dir search;
 allow pcp_pmcd_t sysctl_net_t:file { getattr open read };
 allow pcp_pmcd_t user_home_t:file { execute execute_no_trans open read };
-allow pcp_pmcd_t debugfs_t:dir read;
-allow pcp_pmcd_t debugfs_t:file { getattr ioctl open read };
+allow pcp_pmcd_t debugfs_t:dir { read search };
+allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };
 allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read };
 allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131
 #type=AVC msg=audit(1463754714.313:316): avc:  denied  { net_admin } for  pid=2335 comm="pmcd" capability=12  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
 #type=AVC msg=audit(1491576442.619:1738169): avc:  denied  { sys_ptrace } for  pid=15205 comm="pmdaproc" capability=19  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
 #type=AVC msg=audit(1498833776.957:2094): avc:  denied  { ipc_owner } for  pid=21341 comm="pmdalinux" capability=15  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
-allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_owner chown kill sys_resource };
+allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_lock ipc_owner chown kill sys_resource };
 
 #type=AVC msg=audit(1491581538.561:10949): avc:  denied  { getattr } for  pid=9375 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=13290 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1
 allow pcp_pmcd_t initctl_t:fifo_file getattr;
 
-#type=AVC msg=audit(1491581538.561:10950): avc:  denied  { getattr } for  pid=9375 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532007 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1
 allow pcp_pmcd_t proc_kcore_t:file getattr;
 
 #type=AVC msg=audit(1491581538.587:10952): avc:  denied  { sys_ptrace } for  pid=9375 comm="pmdaproc" capability=19  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1
@@ -183,7 +189,7 @@ allow pcp_pmcd_t hostname_exec_t:file {
 #type=AVC msg=audit(1498845911.360:7647): avc:  denied  { open } for  pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
 @PCP_TRACEFS_FILE_RULE@
 
-allow pcp_pmcd_t gconf_home_t:dir search;
+allow pcp_pmcd_t gconf_home_t:dir { getattr open read search };
 allow pcp_pmcd_t virt_etc_t:dir search;
 allow pcp_pmcd_t virt_etc_t:file { read open };
 allow pcp_pmcd_t virtd_t:unix_stream_socket connectto;
@@ -222,7 +228,8 @@ allow pcp_pmcd_t httpd_t:sem { unix_read
 #RHBZ1545245
 allow pcp_pmcd_t sysfs_t:dir write;
 
-#allow pcp_pmcd_t modules_object_t:lnk_file read;
+# pmda.bcc
+allow pcp_pmcd_t modules_object_t:lnk_file read;
 
 allow pcp_pmcd_t hugetlbfs_t:dir { open read };
 allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read };
@@ -241,6 +248,21 @@ allow pcp_pmcd_t glusterd_var_lib_t:dir
 #RHBZ1565158
 allow pcp_pmcd_t mozilla_plugin_t:sem unix_read;
 
+#pmda.bcc
+allow pcp_pmcd_t self:process { execmem setrlimit };
+#type=AVC msg=audit(1530448398.992:231): avc:  denied  { read } for pid=16334 comm="python3" name="kallsyms" dev="proc" ino=4026532064 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1
+allow pcp_pmcd_t system_map_t:file { ioctl open read };
+
+allow pcp_pmcd_t sysctl_irq_t:dir { search };
+
+#RHBZ1592901
+allow pcp_pmcd_t init_t:shm unix_read;
+
+#RHBZ1594991
+allow pcp_pmcd_t gpsd_t:shm { associate getattr };
+
+allow pcp_pmcd_t default_t:file getattr;
+
 #============= pcp_pmlogger_t ==============
 allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
 allow pcp_pmlogger_t self:capability kill;
@@ -257,7 +279,6 @@ allow pcp_pmlogger_t devlog_t:lnk_file r
 allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid };
 
 ## type=AVC msg=audit(04/19/2017 16:57:40.120:11020) : avc:  denied  { signal } for  pid=28414 comm=pmsignal scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
-
 allow pcp_pmlogger_t unconfined_t:process signal;
 
 #type=AVC msg=audit(1503321970.417:261): avc:  denied  { execute_no_trans } for  pid=6760 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1051023 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0
@@ -266,17 +287,23 @@ allow pcp_pmlogger_t pcp_pmlogger_exec_t
 #type=AVC msg=audit(1493690261.688:262): avc:  denied  { name_connect } for  pid=17604 comm="pmlc" dest=4330 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:dey_sapi_port_t:s0 tclass=tcp_socket
 allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect;
 
+#type=AVC msg=audit(1533291591.092:495620): avc:  denied  { connectto } for  pid=18025 comm="pmprobe" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
+allow pcp_pmlogger_t unconfined_t:unix_stream_socket connectto;
+
 #RHBZ1488116
 #type=AVC msg=audit(1504516526.487:431): avc:  denied  { search } for  pid=18056 comm="ps" name="testuser" dev="dm-0" ino=539096275 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
 allow pcp_pmlogger_t user_home_dir_t:dir search;
-
 #RHBZ1547066
 allow pcp_pmlogger_t kernel_t:unix_dgram_socket sendto;
+
+allow pcp_pmlogger_t home_bin_t:dir search;
+
+
 #============= pcp_pmie_t ==============
 allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read @PCP_HOSTNAME_EXEC_MAP@ };
 
 #type=AVC msg=audit(1498847682.537:15753): avc:  denied  { sys_ptrace } for  pid=30881 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
-allow pcp_pmie_t self:capability { chown kill net_admin sys_ptrace };
+allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace };
 
 #type=AVC msg=audit(04/05/2017 10:24:45.084:351) : avc: denied { connectto } for pid=8941 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
 allow pcp_pmie_t init_t:unix_stream_socket connectto;
@@ -319,6 +346,9 @@ allow pcp_pmie_t pcp_pmcd_t:process sign
 
 #RHBZ1547066
 allow pcp_pmie_t init_exec_t:file getattr;
+
+@PCP_CAPUSERNS_PTRACE_RULE_PMIE@
+allow pcp_pmie_t user_home_dir_t:dir search;
 #============= pmda-lio ==============
 allow pcp_pmcd_t configfs_t:dir { open read search };
 allow pcp_pmcd_t configfs_t:file { getattr open read };
@@ -336,7 +366,7 @@ allow pcp_pmcd_t saslauthd_t:unix_stream
 
 #============= pcp_pmproxy_t ==============
 #type=AVC msg=audit(04/05/2017 09:54:13.548:281) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability
-allow pcp_pmproxy_t self:capability net_admin;
+allow pcp_pmproxy_t self:capability { net_admin dac_override };
 
 #type=AVC msg=audit(04/05/2017 09:54:13.548:281) : avc: denied { read } for pid=6669 comm=pmproxy name=disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
 #type=AVC msg=audit(04/05/2017 10:24:45.771:356) : avc: denied { open } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
@@ -373,3 +403,7 @@ allow pcp_pmmgr_t zabbix_port_t:tcp_sock
 allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read };
 @PCP_FSADM_EXEC_MAP_RULE@
 allow pcp_pmcd_t self:capability sys_rawio;
+
+#============= pmda-redis ==============
+#type=AVC msg=audit(1533183330.416:362367): avc:  denied  { name_connect } for  pid=15299 comm="pmdaredis" dest=6379 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0
+allow pcp_pmcd_t redis_port_t:tcp_socket name_connect;
diff -Naurp pcp-4.1.0-orig/src/selinux/README pcp-4.1.0/src/selinux/README
--- pcp-4.1.0-orig/src/selinux/README	2017-11-29 14:33:29.000000000 +1100
+++ pcp-4.1.0/src/selinux/README	2018-09-05 08:45:27.410553794 +1000
@@ -102,14 +102,16 @@ In general usage, the only portion we ca
 
 SELinux manages a list of 'contexts' and how contexts are allowed to interact with each other.
 
-For example, it makes sense that the 'pcp_pmlogger_t' context to be
-able to read and write to pcp log files with a 'pcp_log_t' context.
-However, it doesn't make sense for 'pcp_pmlogger_t' to write to apache
+For example, it makes sense for the 'pcp_pmlogger_t' context to be
+able to read and write to PCP log files with a 'pcp_log_t' context.
+However, it doesn't make sense for 'pcp_pmlogger_t' to write to Apache
 log files, which have a 'httpd_log_t' context.
 
-Where this can be of focus for PCP is various pmda's gathering metrics from domains.  And, using the example
-with apache earlier, many of these files have different contexts.  We need to document these accesses and
-why they're required, building our own policy package for inclusion in the running policy.
+Where this can be of focus for PCP is various PMDA's gathering metrics
+from domains.  And, using the example with Apache earlier, many of these
+files have different contexts.  We need to document these accesses and
+why they're required, building our own policy package for inclusion in
+the running policy.
 
 == Testing ==
 
@@ -143,4 +145,4 @@ http://equivocation.org/node/24
 http://equivocation.org/node/27
 http://equivocation.org/node/42
 http://equivocation.org/node/51
-http://equivocation.org/node/52
\ No newline at end of file
+http://equivocation.org/node/52

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation