diff --git a/SOURCES/selinux-override.patch b/SOURCES/selinux-override.patch new file mode 100644 index 0000000..2f96ef6 --- /dev/null +++ b/SOURCES/selinux-override.patch @@ -0,0 +1,73 @@ +diff -Naurp pcp-4.3.2.orig/configure pcp-4.3.2/configure +--- pcp-4.3.2.orig/configure 2019-04-09 10:48:01.000000000 +1000 ++++ pcp-4.3.2/configure 2019-08-22 09:52:36.344782796 +1000 +@@ -961,7 +961,6 @@ infodir + docdir + oldincludedir + includedir +-runstatedir + localstatedir + sharedstatedir + sysconfdir +@@ -1111,7 +1110,6 @@ datadir='${datarootdir}' + sysconfdir='${prefix}/etc' + sharedstatedir='${prefix}/com' + localstatedir='${prefix}/var' +-runstatedir='${localstatedir}/run' + includedir='${prefix}/include' + oldincludedir='/usr/include' + docdir='${datarootdir}/doc/${PACKAGE}' +@@ -1364,15 +1362,6 @@ do + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + +- -runstatedir | --runstatedir | --runstatedi | --runstated \ +- | --runstate | --runstat | --runsta | --runst | --runs \ +- | --run | --ru | --r) +- ac_prev=runstatedir ;; +- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ +- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ +- | --run=* | --ru=* | --r=*) +- runstatedir=$ac_optarg ;; +- + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ +@@ -1510,7 +1499,7 @@ fi + for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ +- libdir localedir mandir runstatedir ++ libdir localedir mandir + do + eval ac_val=\$$ac_var + # Remove trailing slashes. +@@ -1663,7 +1652,6 @@ Fine tuning of the installation director + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] +- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] +@@ -11831,7 +11819,7 @@ pcp_selinux_docker_var_lib=false + pcp_selinux_svirt_lxc_net=false + pcp_selinux_systemd_unit_file=false + pcp_selinux_systemd_exec=false +-pcp_selinux_tracefs=false ++pcp_selinux_tracefs=true + pcp_selinux_unreserved_port=false + pcp_selinux_sock_file_getattr=false + pcp_selinux_hostname_exec_map=false +diff -Naurp pcp-4.3.2.orig/configure.ac pcp-4.3.2/configure.ac +--- pcp-4.3.2.orig/configure.ac 2019-04-09 10:48:01.000000000 +1000 ++++ pcp-4.3.2/configure.ac 2019-08-22 09:52:34.456807609 +1000 +@@ -1939,7 +1939,7 @@ pcp_selinux_docker_var_lib=false + pcp_selinux_svirt_lxc_net=false + pcp_selinux_systemd_unit_file=false + pcp_selinux_systemd_exec=false +-pcp_selinux_tracefs=false ++pcp_selinux_tracefs=true + pcp_selinux_unreserved_port=false + pcp_selinux_sock_file_getattr=false + pcp_selinux_hostname_exec_map=false diff --git a/SOURCES/selinux-policy.patch b/SOURCES/selinux-policy.patch new file mode 100644 index 0000000..34d7299 --- /dev/null +++ b/SOURCES/selinux-policy.patch @@ -0,0 +1,1223 @@ +diff -Naurp pcp-4.3.2.orig/qa/917 pcp-4.3.2/qa/917 +--- pcp-4.3.2.orig/qa/917 2018-11-27 10:46:07.000000000 +1100 ++++ pcp-4.3.2/qa/917 2019-08-08 15:22:24.520841699 +1000 +@@ -21,6 +21,7 @@ which seinfo >/dev/null 2>&1 || _notrun + ( seinfo -t 2>&1 | grep 'Default policy search failed: No such file or directory' >/dev/null ) && _notrun "seinfo version bad: can't load default policy" + [ -f "$policy_file" ] || _notrun "upstream policy package not installed" + $sudo semodule -l 2>&1 | grep -q $policy_name || _notrun "upstream policy package not loaded" ++[ -f $PCP_INC_DIR/builddefs ] || _notrun "No $PCP_INC_DIR/builddefs" + + seinfo --common >/dev/null 2>&1 + if [ $? -eq 0 ] +@@ -29,30 +30,6 @@ then + else + common_flag="" + fi +-nsfs_t=`seinfo -t | grep 'nsfs_t$'` +-docker_var_lib_t="" +-svirt_lxc_net_t=`seinfo -t | grep "svirt_lxc_net_t$"` +-systemd_systemctl_exec_t=`seinfo -t | grep "systemd_systemctl_exec_t$"` +-systemd_systemctl_unit_file_t=`seinfo -t | grep "systemd_unit_file_t$"` +-systemd_systemctl_unit_dir_t=`seinfo -t | grep "systemd_unit_dir_t$"` +-devlog_t=`seinfo -t | grep "devlog_t$"` +-init_t=`seinfo -t | grep "init_t$"` +-cap_userns_ptrace=`seinfo --class=cap_userns $common_flag -x 2>&1 | grep "sys_ptrace$"` +-unreserved_port_t=`seinfo -t | grep "unreserved_port_t$"` +-tracefs_t=`seinfo -t | grep "tracefs_t$"` +-class_status=`seinfo -x --class=system $common_flag | grep "status$"` +-sock_file_getattr=`seinfo -x --class=sock_file $common_flag | grep "getattr$"` +-hostname_exec_map_a=`seinfo -x --class=file $common_flag | grep "map$"` +-hostname_exec_map_b=`seinfo -x --common=file 2>/dev/null | grep "map$"` +-#container_runtime_tmpfs_t=`seinfo -t | grep "container_runtime_tmpfs_t$"` +-container_runtime_tmpfs_t="" +-unconfined_service=`seinfo -t | grep "unconfined_service_t$"` +-mock_var_lib=`seinfo -t | grep "mock_var_lib_t$"` +-numad_context=`seinfo -t | grep "numad_t$"` +-bpf_class=`seinfo -x --class=bpf $common_flag 2>/dev/null | grep "class bpf"` +-wap_port_type=`seinfo -t | grep "wap_wsp_port_t$"` +-non_auth_type=`seinfo -a | grep "non_auth_file_type$"` +-non_security_type=`seinfo -a | grep "non_security_file_type$"` + + _filter_semodule() + { +@@ -69,98 +46,132 @@ _filter_sedismod1() + } + _filter_outfile() + { +- awk -v container_t="$container_runtime_t" \ +- -v container_tmpfs_t="$container_runtime_tmpfs_t" \ +- -v nsfs_t="$nsfs_t" \ +- -v docker_var_lib_t="$docker_var_lib_t" \ +- -v svirt_lxc_net_t="$svirt_lxc_net_t" \ +- -v class_status="$class_status" \ +- -v systemd_systemctl_exec_t="$systemd_systemctl_exec_t" \ +- -v systemd_systemctl_unit_file_t="$systemd_systemctl_unit_file_t" \ +- -v systemd_systemctl_unit_dir_t="$systemd_systemctl_unit_dir_t" \ +- -v devlog_t="$devlog_t" \ +- -v init_t="$init_t" \ +- -v cap_userns_ptrace="$cap_userns_ptrace" \ +- -v unreserved_port_t="$unreserved_port_t" \ +- -v tracefs_t="$tracefs_t" \ +- -v sock_file_getattr="$sock_file_getattr" \ +- -v hostname_exec_map_a="$hostname_exec_map_a" \ +- -v hostname_exec_map_b="$hostname_exec_map_b" \ +- -v unconfined_service="$unconfined_service" \ +- -v mock_var_lib="$mock_var_lib" \ +- -v numad_context="$numad_context" \ +- -v bpf_class="$bpf_class" \ +- -v wap_port_type="$wap_port_type" \ +- -v non_auth_type="$non_auth_type" \ +- -v non_security_type="$non_security_type" \ +- '{ +- if (container_t == "" && /container_runtime_t /) +- !/container_runtime_t / ; +- else if (container_tmpfs_t == "" && /container_runtime_tmpfs_t/) +- !/container_runtime_tmpfs_t/ ; +- else if (nsfs_t == "" && /nsfs_t/) +- !/nsfs_t/ ; +- else if (docker_var_lib_t == "" && /docker_var_lib_t/) +- !/docker_var_lib_t/ ; +- else if (svirt_lxc_net_t == "" && /svirt_lxc_net_t/) +- !/svirt_lxc_net_t/ ; +- else if (systemd_systemctl_exec_t == "" && /systemd_systemctl_exec_t/) +- !/systemd_systemctl_exec_t/ ; +- else if (systemd_systemctl_unit_file_t == "" && /systemd_unit_file_t/) +- !/systemd_unit_file_t/ ; +- else if (systemd_systemctl_unit_dir_t == "" && /systemd_unit_dir_t/) +- !/systemd_unit_dir_t/ ; +- else if (devlog_t == "" && /devlog_t/) +- !/devlog_t/ ; +- else if (init_t == "" && /init_t/) +- !/init_t/ ; +- else if (cap_userns_ptrace == "" && /cap_userns/) +- !/cap_userns/ ; +- else if (unreserved_port_t == "" && /unreserved_port_t/) +- !/unreserved_port_t/ ; +- else if (tracefs_t == "" && /tracefs_t/) +- !/tracefs_t/ ; +- else if (class_status == "" && /system.*status/) +- !/system.*status/ ; +- else if (sock_file_getattr == "" && /gpmctl_t/) +- !/gpmctl_t/ ; +- else if (unconfined_service == "" && /unconfined_service_t/) +- !/unconfined_service_t/ ; +- else if (mock_var_lib == "" && /mock_var_lib_t/) +- !/mock_var_lib_t/ ; +- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /ldconfig_exec_t/ && /map/) +- !/ldconfig_exec_t/ ; +- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /pcp_tmp_t/ && /map/) +- !/pcp_tmp_t/ ; +- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /fsadm_exec_t/ && /map/) +- !/fsadm_exec_t/ ; +- else if (numad_context == "" && /numda_t/) +- !/numad_t/ ; +- else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /hostname_exec_t/ && /pcp_pmie_t/) { +- printf(" allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };\n") +- } +- else if (bpf_class == "" && /bpf/) +- !/bpf/ ; +- else if (wap_port_type == "" && /wap_wsp_port_t/) +- !/wap_wsp_port_t/ ; +- else if (non_auth_type == "" && /non_auth_file_type/) +- !/non_auth_file_type/ ; +- else if (non_auth_type != "" && /non_security_file_type/) +- !/non_security_file_type/ ; +- else +- print; +- }' ++ sed -f $tmp.sed + } + + status=1 # failure is the default! + $sudo rm -rf $tmp $tmp.* $seq.full + trap "cd $here; $sudo rm -rf $tmp $tmp.*; exit \$status" 0 1 2 3 15 +-echo > $seq.full + +-cat $seq.out.in | _filter_outfile > $seq.out ++# use logic from configure.ac to build list of optional types that are ++# not present on this system and need to be culled from $seq.out.in ++# ++seinfo -t >$tmp.types ++echo '/^#/d' >$tmp.sed ++echo '/^!/s// /' >>$tmp.sed ++for type in container_runtime_t nsfs_t docker_var_lib_t unreserved_port_t \ ++ tracefs_t unconfined_service_t numad_t rpm_var_lib_t \ ++ virt_var_run_t ++do ++ if grep "^[ ][ ]*$type\$" $tmp.types >/dev/null ++ then ++ : ++ else ++ echo "/^ *$type\$/d" >>$tmp.sed ++ # and some missing types => associated rules need to be culled or ++ # edited ++ # ++ case "$type" ++ in ++ nsfs_t) ++ echo '/allow \[pcp_pmcd_t] \[nsfs_t]/d' >>$tmp.sed ++ ;; ++ unreserved_port_t) ++ echo '/allow \[pcp_pmcd_t] \[unreserved_port_t]/d' >>$tmp.sed ++ echo '/allow \[pcp_pmmgr_t] \[unreserved_port_t]/d' >>$tmp.sed ++ ;; ++ tracefs_t) ++ echo '/allow \[pcp_pmcd_t] \[tracefs_t]/d' >>$tmp.sed ++ ;; ++ unconfined_service_t) ++ echo '/allow \[pcp_pmlogger_t] \[unconfined_service_t]/d' >>$tmp.sed ++ echo '/allow \[pcp_pmie_t] \[unconfined_service_t]/d' >>$tmp.sed ++ ;; ++ numad_t) ++ echo '/allow \[pcp_pmcd_t] \[numad_t]/d' >>$tmp.sed ++ ;; ++ rpm_var_lib_t) ++ echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t]/d' >>$tmp.sed ++ ;; ++ virt_var_run_t) ++ echo '/allow \[pcp_pmcd_t] \[virt_var_run_t]/d' >>$tmp.sed ++ ;; ++ esac ++ fi ++done ++ ++# now the class ones ... also using logic from configure.ac ++# ++if seinfo -x --class=cap_userns $common_flag 2>&1 \ ++ | grep '^[ ][ ]*sys_ptrace$' >/dev/null ++then ++ : ++else ++ echo '/allow \[pcp_pmie_t] .*\[cap_userns]/d' >>$tmp.sed ++fi ++ ++if seinfo -x --class=file $common_flag 2>&1 \ ++ | grep '^[ ][ ]*map$' >/dev/null ++then ++ : ++elif seinfo -x --common file 2>&1 \ ++ | grep '^[ ][ ]*map$' >/dev/null ++then ++ : ++else ++ # if no map, need to cull these one as map is the only permission ++ # ++ echo '/allow \[pcp_pmcd_t] \[ldconfig_exec_t] : \[file].* map/d' >>$tmp.sed ++ echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t] : \[file].* map/d' >>$tmp.sed ++ echo '/allow \[pcp_pmcd_t] \[default_t] : \[file].* map/d' >>$tmp.sed ++ # strip "map" from permissions for others ++ # ++ echo '/\[pcp_pmie_exec_t] .*\[file]/s/ map / /' >>$tmp.sed ++ echo '/\[pcp_pmcd_t] .*\[file]/s/ map / /' >>$tmp.sed ++ echo '/\[pcp_pmie_t] .*\[hostname_exec_t]/s/ map / /' >>$tmp.sed ++ echo '/\[pcp_pmcd_t] \[fsadm_exec_t]/s/ map / /' >>$tmp.sed ++ echo '/\[pcp_pmcd_t] \[default_t]/s/ map / /' >>$tmp.sed ++ echo '/\[pcp_pmcd_t] \[pcp_pmie_exec_t]/s/ map / /' >>$tmp.sed ++ echo '/\[pcp_pmcd_t] \[pcp_tmp_t]/s/ map / /' >>$tmp.sed ++fi ++ ++if seinfo -x --class=bpf $common_flag 2>&1 \ ++ | grep '^[ ][ ]*class bpf$' >/dev/null ++then ++ : ++else ++ echo '/allow \[pcp_pmcd_t] .*\[bpf]/d' >>$tmp.sed ++fi ++ ++if seinfo -x --class=capability2 $common_flag 2>&1 \ ++ | grep '^[ ][ ]*syslog$' >/dev/null ++then ++ : ++else ++ echo '/allow \[pcp_pmcd_t\] .*\[capability2\]/d' >>$tmp.sed ++fi ++ ++if seinfo -a 2>&1 \ ++ | grep '^[ ][ ]*non_auth_file_type$' >/dev/null ++then ++ echo '/allow \[pcp_domain] \[non_security_file_type]/d' >>$tmp.sed ++else ++ echo '/allow \[pcp_domain] \[non_auth_file_type]/d' >>$tmp.sed ++fi ++ ++if grep 'PCP_SELINUX_FILES_MMAP_ALL_FILES[ ]*=[ ]*true' $PCP_INC_DIR/builddefs >/dev/null 2>&1 ++then ++ : ++else ++ echo '/allow \[pcp_domain] \[file_type] : \[file].* map/d' >>$tmp.sed ++fi ++ ++cat $tmp.sed >>$seq.full ++ ++cat $seq.out.in | _filter_outfile >$seq.out + + echo "full policy modules list on the system" +-$sudo semodule -l >> $seq.full ++$sudo semodule -l >>$seq.full + echo "Checking that pcpupstream policy module has been properly installed" + awk '{ print $1 }' $seq.full | grep "pcpupstream$" | _filter_semodule + # real QA test starts here +diff -Naurp pcp-4.3.2.orig/qa/917.out.in pcp-4.3.2/qa/917.out.in +--- pcp-4.3.2.orig/qa/917.out.in 2019-04-26 09:57:42.000000000 +1000 ++++ pcp-4.3.2/qa/917.out.in 2019-08-08 15:22:24.520841699 +1000 +@@ -3,6 +3,17 @@ full policy modules list on the system + Checking that pcpupstream policy module has been properly installed + pcpupstream + Checking policies. ++# Notes ++# - lines begining # are comments for PCP QA developers and will be ++# stripped when creating 917.out from this file ++# - lines beginning ! in the block below are places where the rules ++# are conditional, and the 917 script needs to mimic the configuration ++# changes that are driven from configure.ac (see the pcp_selinux_* ++# macro settings), and src/selinux/GNUlocaldefs (see the PCP_* macro ++# settings) ++# - otherwise lines in the block below come from ++# src/selinux/pcpupstream.te.in (after macro substitution) ++# + --- begin avrule block --- + decl 1: + allow [init_t] [pcp_log_t] : [dir] { read }; +@@ -14,32 +25,32 @@ decl 1: + allow [init_t] [system_cronjob_t] : [dbus] { send_msg }; + allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans }; + allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write }; +- allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read }; ++! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map }; + allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink }; + allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr }; + allow [pcp_pmcd_t] self : [capability] { kill chown sys_chroot ipc_lock sys_resource }; +- allow [pcp_pmcd_t] [nsfs_t] : [file] { open read }; +- allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect }; +- allow [pcp_pmcd_t] [svirt_lxc_net_t] : [dir] { open read search }; ++! allow [pcp_pmcd_t] [nsfs_t] : [file] { open read }; ++! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect }; + allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect }; +- allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans }; +- allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { map }; ++! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map }; + allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read }; +- allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount }; +- allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write }; ++! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount }; ++! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search }; ++! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write }; + allow [pcp_pmcd_t] [haproxy_var_lib_t] : [sock_file] { write }; + allow [pcp_pmcd_t] [sysctl_fs_t] : [file] { write }; +- allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map }; ++! allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map }; + allow [pcp_pmcd_t] [sysfs_t] : [dir] { write }; + allow [pcp_pmcd_t] [modules_object_t] : [lnk_file] { read }; + allow [pcp_pmcd_t] [mdadm_exec_t] : [file] { execute execute_no_trans open read }; + allow [pcp_pmcd_t] [proc_mdstat_t] : [file] { getattr open read }; +- allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read }; ++! allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read }; + allow [pcp_pmcd_t] [glusterd_log_t] : [file] { open read write }; + allow [pcp_pmcd_t] self : [process] { execmem setrlimit ptrace }; + allow [pcp_pmcd_t] [sysctl_irq_t] : [dir] { search }; +- allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run }; ++! allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run }; + allow [pcp_pmcd_t] [kernel_t] : [process] { signull }; ++! allow [pcp_pmcd_t] self : [capability2] { syslog }; + allow [pcp_pmcd_t] [kernel_t] : [system] { module_request }; + allow [pcp_pmcd_t] [su_exec_t] : [file] { execute }; + allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write }; +@@ -48,26 +59,30 @@ decl 1: + allow [pcp_pmlogger_t] [unconfined_t] : [process] { signal }; + allow [pcp_pmlogger_t] [unconfined_service_t] : [process] { signal }; + allow [pcp_pmlogger_t] [user_tmp_t] : [file] { setattr unlink }; +- allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map }; ++! allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map }; + allow [pcp_pmie_t] self : [capability] { kill dac_override sys_ptrace net_admin chown fowner }; + allow [pcp_pmie_t] [proc_net_t] : [file] { read }; +- allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace }; ++! allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace }; + allow [pcp_pmie_t] [unconfined_t] : [process] { signal }; + allow [pcp_pmie_t] [unconfined_service_t] : [process] { signal }; +- allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search }; +- allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read }; ++ allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search write }; ++ allow [pcp_pmcd_t] [configfs_t] : [file] { getattr ioctl open read }; + allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr }; + allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read }; + allow [pcp_pmproxy_t] self : [capability] { dac_override net_admin }; + allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read }; + allow [pcp_pmproxy_t] [proc_net_t] : [file] { read }; +- allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind }; ++! allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind }; + allow [pcp_pmmgr_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read }; +- allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read }; +- allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { map }; +- allow [pcp_pmcd_t] [default_t] : [file] { execute map }; ++ allow [pcp_pmmgr_t] self : [capability] { dac_override }; ++! allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read map }; ++! allow [pcp_pmcd_t] [default_t] : [file] { execute map }; + allow [pcp_pmcd_t] self : [capability] { sys_rawio }; +- allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl }; ++! allow [pcp_pmcd_t] [rpm_var_lib_t] : [file] { map }; ++! allow [pcp_pmcd_t] [virt_var_run_t] : [sock_file] { write }; ++! allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl }; ++! allow [pcp_domain] [non_security_file_type] : [dir] { open search getattr }; ++! allow [pcp_domain] [non_security_file_type] : [dir] { open read search getattr lock ioctl }; + allow [pcp_pmcd_t] [file_type] : [dir] { open read search getattr lock ioctl }; + allow [pcp_pmcd_t] [file_type] : [dir] { open search getattr }; + allow [pcp_pmcd_t] [file_type] : [file] { getattr ioctl lock open read }; +@@ -93,6 +108,7 @@ decl 1: + allow [pcp_domain] [userdomain] : [sem] { unix_read associate getattr read }; + allow [pcp_domain] [domain] : [unix_stream_socket] { connectto }; + allow [pcp_domain] [port_type] : [tcp_socket] { name_connect }; ++! allow [pcp_domain] [file_type] : [file] { map }; + --- begin avrule block --- + decl 2: + allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; +diff -Naurp pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python +--- pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python 2018-09-18 16:41:15.000000000 +1000 ++++ pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python 2019-08-08 15:31:12.058022014 +1000 +@@ -323,6 +323,11 @@ class PCPBCCBase(object): + else: + return "0.5.0" + ++ @staticmethod ++ def bcc_version_tuple(): ++ """ Returns BCC version as an int tuple (for comparisons) """ ++ return tuple(map(int, PCPBCCBase.bcc_version().split('.'))) ++ + def perf_buffer_poller(self): + """ BPF poller """ + try: +@@ -365,7 +370,10 @@ class PCPBCCBase(object): + Compat: bcc < 0.6.0 + source: https://github.com/iovisor/bcc/blame/master/src/python/bcc/__init__.py + """ +- return self.get_syscall_prefix() + name ++ if hasattr(self.bpf, 'get_syscall_fnname'): ++ return self.bpf.get_syscall_fnname(name) ++ else: ++ return self.get_syscall_prefix() + name + + def get_kprobe_functions(self, event_re): + """ +diff -Naurp pcp-4.3.2.orig/src/selinux/GNUlocaldefs pcp-4.3.2/src/selinux/GNUlocaldefs +--- pcp-4.3.2.orig/src/selinux/GNUlocaldefs 2019-04-16 11:43:42.000000000 +1000 ++++ pcp-4.3.2/src/selinux/GNUlocaldefs 2019-08-08 15:30:17.502036498 +1000 +@@ -1,101 +1,68 @@ + ifeq "$(PCP_SELINUX_CONTAINER_RUNTIME)" "true" +-PCP_CONTAINER_RUNTIME_T="type container_runtime_t\;" +-PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto\;" ++PCP_CONTAINER_RUNTIME_T="type container_runtime_t;" ++PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto;" + else + PCP_CONTAINER_RUNTIME_RULE="" + PCP_CONTAINER_RUNTIME_T="" + endif + + ifeq "$(PCP_SELINUX_NSFS)" "true" +-PCP_NSFS_T="type nsfs_t\; \# filesys.used" +-PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open }\;" ++PCP_NSFS_T="type nsfs_t; \# filesys.used" ++PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open };" + endif + + ifeq "$(PCP_SELINUX_DOCKER_VAR_LIB)" "true" +-PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t\;" +-PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search\;" ++PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t;" ++PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search;" + else + PCP_DOCKER_VAR_LIB_T="" + PCP_DOCKER_VAR_LIB_RULE="" + endif + +-ifeq "$(PCP_SELINUX_SVIRT_LXC_NET)" "true" +-PCP_SVIRT_LXC_NET_T="type svirt_lxc_net_t\;" +-PCP_SVIRT_LXC_NET_RULE="allow pcp_pmcd_t svirt_lxc_net_t:dir { open read search }\;" +-endif +- +-ifeq "$(PCP_SELINUX_CLASS_STATUS)" "true" +-PCP_CLASS_STATUS="class system status\;" +-PCP_PMLOGGER_SYSTEM_STATUS_RULE="allow pcp_pmlogger_t init_t:system status\;" +-PCP_PMIE_SYSTEM_STATUS_RULE="allow pcp_pmie_t init_t:system status\;" +-endif +- +-ifeq "$(PCP_SELINUX_SYSTEMD_UNIT_FILE)" "true" +-PCP_SYSTEMCTL_UNIT_FILE_T="type systemd_unit_file_t\;" +-PCP_SYSTEMCTL_UNIT_FILE_RULE="allow pcp_pmie_t systemd_unit_file_t:file getattr\;" +-PCP_SYSTEMCTL_UNIT_DIR_RULE="allow pcp_pmie_t systemd_unit_file_t:dir search\;" +-endif +- +-ifeq "$(PCP_SELINUX_SYSTEMD_EXEC)" "true" +-PCP_SYSTEMCTL_EXEC_T="type systemd_systemctl_exec_t\;" +-PCP_SYSTEMCTL_EXEC_RULE="allow pcp_pmie_t systemd_systemctl_exec_t:file { execute execute_no_trans open read getattr }\;" +-endif +- + ifeq "$(PCP_SELINUX_CAP_USERNS_PTRACE)" "true" +-PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace\; \#pmdaproc" +-PCP_CAPUSERNS_PTRACE_RULE="allow pcp_pmcd_t self:cap_userns sys_ptrace\;" +-PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace\;" ++PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace; \# pmdaproc" ++PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace;" + endif + + ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true" +-PCP_UNRESERVED_PORT="type unreserved_port_t\;" +-PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect }\;" +-PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind\;" ++PCP_UNRESERVED_PORT="type unreserved_port_t;" ++PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect };" ++PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind;" + endif + + ifeq "$(PCP_SELINUX_TRACEFS)" "true" +-PCP_TRACEFS="type tracefs_t\;" +-PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;" +-PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;" +-PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write }\;" +-endif +- +-ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true" +-PCP_SOCK_FILE_GETATTR="class sock_file getattr\;" +-PCP_SOCK_FILE_GETATTR_RULE="allow pcp_pmcd_t gpmctl_t:sock_file getattr\;" ++PCP_TRACEFS="type tracefs_t;" ++PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount;" ++PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open };" ++PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write };" + endif + + ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true" +-PCP_HOSTNAME_EXEC_MAP=" map " +-PCP_TMP_T_MAP_RULE="allow pcp_pmcd_t pcp_tmp_t:file map\;" +-PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map\;" +-PCP_FSADM_EXEC_MAP_RULE="allow pcp_pmcd_t fsadm_exec_t:file map\;" +-PCP_DEFAULT_T_MAP="allow pcp_pmcd_t default_t:file { map execute }\;" ++PCP_HOSTNAME_EXEC_MAP="map" ++PCP_TMP_MAP="map" ++PCP_FSADM_EXEC_MAP="map" ++PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map;" ++PCP_DEFAULT_MAP_RULE="allow pcp_pmcd_t default_t:file { map execute };" + endif + +-ifeq "$(PCP_SELINUX_MOCK)" "true" +-PCP_MOCK_VAR_LIB="type mock_var_lib_t\;" +-PCP_MOCK_VAR_LIB_RULE="allow pcp_pmcd_t mock_var_lib_t:dir getattr\;" ++ifeq "$(PCP_SELINUX_FILES_MMAP_ALL_FILES)" "true" ++PCP_MMAP_ALL="files_mmap_all_files(pcp_domain);" + endif + + ifeq "$(PCP_SELINUX_UNCONFINED)" "true" +-PCP_UNCONFINED_SERVICE="type unconfined_service_t\;" +-PCP_UNCONFINED_SERVICE_RULE="allow pcp_pmcd_t unconfined_service_t:sem { associate getattr }\;" ++PCP_UNCONFINED_SERVICE="type unconfined_service_t;" ++PCP_PMLOGGER_UNCONFINED_SERVICE_RULE="allow pcp_pmlogger_t unconfined_service_t:process signal;" ++PCP_PMIE_UNCONFINED_SERVICE_RULE="allow pcp_pmie_t unconfined_service_t:process signal;" + endif + + ifeq "$(PCP_SELINUX_NUMAD)" "true" +-PCP_NUMAD_CONTEXT="type numad_t\;" +-PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read\;" ++PCP_NUMAD_CONTEXT="type numad_t;" ++PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read;" + endif + + ifeq "$(PCP_SELINUX_BPF_STATUS)" "true" +-PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run }\;" +-PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run }\;" +-endif +- +-ifeq "$(PCP_SELINUX_WAP_PORT)" "true" +-PCP_WAP_PORT_CONTEXT="type wap_wsp_port_t\;" +-PCP_WAP_PORT_RULE="allow pcp_pmcd_t wap_wsp_port_t:tcp_socket name_connect\;" ++PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run };" ++PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run };" + endif + + ifeq "$(PCP_SELINUX_FILES_LIST_NON_AUTH_DIRS)" "true" +@@ -103,3 +70,24 @@ PCP_SELINUX_MACRO_RULE="files_list_non_a + else + PCP_SELINUX_MACRO_RULE="files_list_non_security\(pcp_domain\)" + endif ++ ++# need both type rpm_var_lib_t and permission map for this one ++# ++PCP_RPM_VAR_LIB_T="" ++PCP_RPM_VAR_LIB_RULE="" ++ifeq "$(PCP_SELINUX_RPM_VAR_LIB)" "true" ++ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true" ++PCP_RPM_VAR_LIB_T="type rpm_var_lib_t; \# pmdarpm" ++PCP_RPM_VAR_LIB_RULE="allow pcp_pmcd_t rpm_var_lib_t:file map;" ++endif ++endif ++ ++ifeq "$(PCP_SELINUX_VIRT_VAR_RUN)" "true" ++PCP_VIRT_VAR_RUN_T="type virt_var_run_t; \# pmdalibvirt" ++PCP_VIRT_VAR_RUN_RULE="allow pcp_pmcd_t virt_var_run_t:sock_file write;" ++endif ++ ++ifeq "$(PCP_SELINUX_CAP2_SYSLOG)" "true" ++PCP_CAP2_SYSLOG_CLASS="class capability2 { syslog };" ++PCP_CAP2_SYSLOG_RULE="allow pcp_pmcd_t self:capability2 syslog;" ++endif +diff -Naurp pcp-4.3.2.orig/src/selinux/GNUmakefile pcp-4.3.2/src/selinux/GNUmakefile +--- pcp-4.3.2.orig/src/selinux/GNUmakefile 2019-03-07 08:26:45.000000000 +1100 ++++ pcp-4.3.2/src/selinux/GNUmakefile 2019-08-08 15:30:17.502036498 +1000 +@@ -33,51 +33,43 @@ build-me: $(IAM).te selinux-setup.sh + + $(IAM).te: $(IAM).te.in + $(SED) <$< >$@ \ +- -e 's;@PCP_CONTAINER_RUNTIME_T@;'$(PCP_CONTAINER_RUNTIME_T)';' \ +- -e 's;@PCP_CONTAINER_RUNTIME_RULE@;'$(PCP_CONTAINER_RUNTIME_RULE)';' \ +- -e 's;@PCP_NSFS_T@;'$(PCP_NSFS_T)';' \ +- -e 's;@PCP_NSFS_RULE@;'$(PCP_NSFS_RULE)';' \ +- -e 's;@PCP_DOCKER_VAR_LIB_T@;'$(PCP_DOCKER_VAR_LIB_T)';' \ +- -e 's;@PCP_DOCKER_VAR_LIB_RULE@;'$(PCP_DOCKER_VAR_LIB_RULE)';' \ +- -e 's;@PCP_CLASS_STATUS@;'$(PCP_CLASS_STATUS)';' \ +- -e 's;@PCP_PMLOGGER_SYSTEM_STATUS_RULE@;'$(PCP_PMLOGGER_SYSTEM_STATUS_RULE)';' \ +- -e 's;@PCP_PMIE_SYSTEM_STATUS_RULE@;'$(PCP_PMIE_SYSTEM_STATUS_RULE)';' \ +- -e 's;@PCP_SVIRT_LXC_NET_T@;'$(PCP_SVIRT_LXC_NET_T)';' \ +- -e 's;@PCP_SVIRT_LXC_NET_RULE@;'$(PCP_SVIRT_LXC_NET_RULE)';' \ +- -e 's;@PCP_SYSTEMCTL_UNIT_FILE_T@;'$(PCP_SYSTEMCTL_UNIT_FILE_T)';' \ +- -e 's;@PCP_SYSTEMCTL_UNIT_FILE_RULE@;'$(PCP_SYSTEMCTL_UNIT_FILE_RULE)';' \ +- -e 's;@PCP_SYSTEMCTL_UNIT_DIR_RULE@;'$(PCP_SYSTEMCTL_UNIT_DIR_RULE)';' \ +- -e 's;@PCP_SYSTEMCTL_EXEC_T@;'$(PCP_SYSTEMCTL_EXEC_T)';' \ +- -e 's;@PCP_SYSTEMCTL_EXEC_RULE@;'$(PCP_SYSTEMCTL_EXEC_RULE)';' \ +- -e 's;@PCP_CAPUSERNS_PTRACE@;'$(PCP_CAPUSERNS_PTRACE)';' \ +- -e 's;@PCP_CAPUSERNS_PTRACE_RULE@;'$(PCP_CAPUSERNS_PTRACE_RULE)';' \ +- -e 's;@PCP_CAPUSERNS_PTRACE_RULE_PMIE@;'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)';' \ +- -e 's;@PCP_UNRESERVED_PORT@;'$(PCP_UNRESERVED_PORT)';' \ +- -e 's;@PCP_UNRESERVED_PORT_RULE@;'$(PCP_UNRESERVED_PORT_RULE)';' \ +- -e 's;@PCP_UNRESERVED_PORT_RULE_PMMGR@;'$(PCP_UNRESERVED_PORT_RULE_PMMGR)';' \ +- -e 's;@PCP_TRACEFS@;'$(PCP_TRACEFS)';' \ +- -e 's;@PCP_TRACEFS_FS_RULE@;'$(PCP_TRACEFS_FS_RULE)';' \ +- -e 's;@PCP_TRACEFS_DIR_RULE@;'$(PCP_TRACEFS_DIR_RULE)';' \ +- -e 's;@PCP_TRACEFS_FILE_RULE@;'$(PCP_TRACEFS_FILE_RULE)';' \ +- -e 's;@PCP_SOCK_FILE_GETATTR@;'$(PCP_SOCK_FILE_GETATTR)';' \ +- -e 's;@PCP_SOCK_FILE_GETATTR_RULE@;'$(PCP_SOCK_FILE_GETATTR_RULE)';' \ +- -e 's;@PCP_HOSTNAME_EXEC_MAP@;'$(PCP_HOSTNAME_EXEC_MAP)';' \ +- -e 's;@PCP_TMP_T_MAP_RULE@;'$(PCP_TMP_T_MAP_RULE)';' \ +- -e 's;@PCP_DEFAULT_T_MAP@;'$(PCP_DEFAULT_T_MAP)';' \ +- -e 's;@PCP_LDCONFIG_EXEC_MAP_RULE@;'$(PCP_LDCONFIG_EXEC_MAP_RULE)';' \ +- -e 's;@PCP_MOCK_VAR_LIB@;'$(PCP_MOCK_VAR_LIB)';' \ +- -e 's;@PCP_MOCK_VAR_LIB_RULE@;'$(PCP_MOCK_VAR_LIB_RULE)';' \ +- -e 's;@PCP_UNCONFINED_SERVICE@;'$(PCP_UNCONFINED_SERVICE)';' \ +- -e 's;@PCP_UNCONFINED_SERVICE_RULE@;'$(PCP_UNCONFINED_SERVICE_RULE)';' \ +- -e 's;@PCP_NUMAD_CONTEXT@;'$(PCP_NUMAD_CONTEXT)';' \ +- -e 's;@PCP_NUMAD_RULE@;'$(PCP_NUMAD_RULE)';' \ +- -e 's;@PCP_FSADM_EXEC_MAP_RULE@;'$(PCP_FSADM_EXEC_MAP_RULE)';' \ +- -e 's;@PCP_BPF_STATUS_CLASS@;'$(PCP_BPF_STATUS_CLASS)';' \ +- -e 's;@PCP_BPF_STATUS_RULE@;'$(PCP_BPF_STATUS_RULE)';' \ +- -e 's;@PCP_WAP_PORT_CONTEXT@;'$(PCP_WAP_PORT_CONTEXT)';' \ +- -e 's;@PCP_WAP_PORT_RULE@;'$(PCP_WAP_PORT_RULE)';' \ +- -e 's;@PCP_SELINUX_MACRO_RULE@;'$(PCP_SELINUX_MACRO_RULE)';' \ +- -e 's;@PACKAGE_VERSION@;'$(PACKAGE_VERSION)';' \ ++ -e 's+@PCP_CONTAINER_RUNTIME_T@+'$(PCP_CONTAINER_RUNTIME_T)'+' \ ++ -e 's+@PCP_CONTAINER_RUNTIME_RULE@+'$(PCP_CONTAINER_RUNTIME_RULE)'+' \ ++ -e 's+@PCP_NSFS_T@+'$(PCP_NSFS_T)'+' \ ++ -e 's+@PCP_NSFS_RULE@+'$(PCP_NSFS_RULE)'+' \ ++ -e 's+@PCP_DOCKER_VAR_LIB_T@+'$(PCP_DOCKER_VAR_LIB_T)'+' \ ++ -e 's+@PCP_DOCKER_VAR_LIB_RULE@+'$(PCP_DOCKER_VAR_LIB_RULE)'+' \ ++ -e 's+@PCP_CAPUSERNS_PTRACE@+'$(PCP_CAPUSERNS_PTRACE)'+' \ ++ -e 's+@PCP_CAPUSERNS_PTRACE_RULE_PMIE@+'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)'+' \ ++ -e 's+@PCP_UNRESERVED_PORT@+'$(PCP_UNRESERVED_PORT)'+' \ ++ -e 's+@PCP_UNRESERVED_PORT_RULE@+'$(PCP_UNRESERVED_PORT_RULE)'+' \ ++ -e 's+@PCP_UNRESERVED_PORT_RULE_PMMGR@+'$(PCP_UNRESERVED_PORT_RULE_PMMGR)'+' \ ++ -e 's+@PCP_TRACEFS@+'$(PCP_TRACEFS)'+' \ ++ -e 's+@PCP_TRACEFS_FS_RULE@+'$(PCP_TRACEFS_FS_RULE)'+' \ ++ -e 's+@PCP_TRACEFS_DIR_RULE@+'$(PCP_TRACEFS_DIR_RULE)'+' \ ++ -e 's+@PCP_TRACEFS_FILE_RULE@+'$(PCP_TRACEFS_FILE_RULE)'+' \ ++ -e 's+@PCP_HOSTNAME_EXEC_MAP@+'$(PCP_HOSTNAME_EXEC_MAP)'+' \ ++ -e 's+@PCP_TMP_MAP@+'$(PCP_TMP_MAP)'+' \ ++ -e 's+@PCP_DEFAULT_MAP_RULE@+'$(PCP_DEFAULT_MAP_RULE)'+' \ ++ -e 's+@PCP_LDCONFIG_EXEC_MAP_RULE@+'$(PCP_LDCONFIG_EXEC_MAP_RULE)'+' \ ++ -e 's+@PCP_UNCONFINED_SERVICE@+'$(PCP_UNCONFINED_SERVICE)'+' \ ++ -e 's+@PCP_UNCONFINED_SERVICE_RULE@+'$(PCP_UNCONFINED_SERVICE_RULE)'+' \ ++ -e 's+@PCP_PMIE_UNCONFINED_SERVICE_RULE@+'$(PCP_PMIE_UNCONFINED_SERVICE_RULE)'+' \ ++ -e 's+@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@+'$(PCP_PMLOGGER_UNCONFINED_SERVICE_RULE)'+' \ ++ -e 's+@PCP_NUMAD_CONTEXT@+'$(PCP_NUMAD_CONTEXT)'+' \ ++ -e 's+@PCP_NUMAD_RULE@+'$(PCP_NUMAD_RULE)'+' \ ++ -e 's+@PCP_FSADM_EXEC_MAP@+'$(PCP_FSADM_EXEC_MAP)'+' \ ++ -e 's+@PCP_MMAP_ALL@+'$(PCP_MMAP_ALL)'+' \ ++ -e 's+@PCP_BPF_STATUS_CLASS@+'$(PCP_BPF_STATUS_CLASS)'+' \ ++ -e 's+@PCP_BPF_STATUS_RULE@+'$(PCP_BPF_STATUS_RULE)'+' \ ++ -e 's+@PCP_RPM_VAR_LIB_T@+'$(PCP_RPM_VAR_LIB_T)'+' \ ++ -e 's+@PCP_RPM_VAR_LIB_RULE@+'$(PCP_RPM_VAR_LIB_RULE)'+' \ ++ -e 's+@PCP_VIRT_VAR_RUN_T@+'$(PCP_VIRT_VAR_RUN_T)'+' \ ++ -e 's+@PCP_VIRT_VAR_RUN_RULE@+'$(PCP_VIRT_VAR_RUN_RULE)'+' \ ++ -e 's+@PCP_CAP2_SYSLOG_CLASS@+'$(PCP_CAP2_SYSLOG_CLASS)'+' \ ++ -e 's+@PCP_CAP2_SYSLOG_RULE@+'$(PCP_CAP2_SYSLOG_RULE)'+' \ ++ -e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \ ++ -e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \ + + # END + make -f /usr/share/selinux/devel/Makefile +diff -Naurp pcp-4.3.2.orig/src/selinux/pcpupstream.te.in pcp-4.3.2/src/selinux/pcpupstream.te.in +--- pcp-4.3.2.orig/src/selinux/pcpupstream.te.in 2019-04-26 09:34:21.000000000 +1000 ++++ pcp-4.3.2/src/selinux/pcpupstream.te.in 2019-08-08 15:30:17.504036461 +1000 +@@ -39,7 +39,7 @@ require { + type glusterd_log_t; + type sysctl_irq_t; #pmda.bcc + type unconfined_t; #RHBZ1443632 +- type unconfined_service_t; ++ @PCP_UNCONFINED_SERVICE@ + type configfs_t; #pcp.lio + type ldconfig_exec_t; + type sysctl_net_t; +@@ -49,19 +49,20 @@ require { + type kmsg_device_t; + type proc_kcore_t; + type su_exec_t; ++ @PCP_RPM_VAR_LIB_T@ ++ @PCP_VIRT_VAR_RUN_T@ + class sem { unix_read associate getattr read }; + class lnk_file { read getattr }; + class file { append create execute execute_no_trans getattr setattr ioctl lock open read write unlink @PCP_HOSTNAME_EXEC_MAP@ }; + class dir { add_name open read search write getattr lock ioctl }; + class unix_stream_socket connectto; + class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid }; ++ @PCP_CAP2_SYSLOG_CLASS@ + @PCP_CAPUSERNS_PTRACE@ + class chr_file { open write }; + class fifo_file { getattr read open unlink lock ioctl }; # qa/455 + class process { signull signal execmem setrlimit ptrace }; #RHBZ1443632 + class sock_file write; #RHBZ1449671 +- @PCP_SOCK_FILE_GETATTR@ +- @PCP_CLASS_STATUS@ + class tcp_socket { name_bind name_connect }; + class shm { unix_read associate getattr read }; + class filesystem mount; +@@ -98,49 +99,24 @@ allow init_t system_cronjob_t:dbus send_ + + + #============= pcp_pmcd_t ============== +-#type=AVC msg=audit(XXX.1): avc: denied { open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=dir permissive=0 +-#allow pcp_pmcd_t svirt_sandbox_file_t:dir { open read search }; +- +-#@PCP_SVIRT_LXC_NET_RULE@ +- +-#type=AVC msg=audit(XXX.2): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 +-#allow pcp_pmcd_t sysctl_net_t:dir search; +- +-#SYN AVC for testing +-#type=AVC msg=audit(XXX.3): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 +-#allow pcp_pmcd_t sysctl_net_t:file { getattr open read }; + + #SYN AVC for testing + #type=AVC msg=audit(XXX.4): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 + allow pcp_pmcd_t user_home_t:file { execute execute_no_trans }; + +-#type=AVC msg=audit(XXX.5): avc: denied { read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t debugfs_t:dir { read search }; +- + #type=AVC msg=audit(XXX.6): avc: denied { append getattr ioctl open read write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0 + allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write }; + + #type=AVC msg=audit(XXX.7): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0 +-allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read }; ++#type=AVC msg=audit(XXX.68): avc: denied { map } for pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0 ++allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read @PCP_HOSTNAME_EXEC_MAP@ }; + + #type=AVC msg=audit(XXX.8): avc: denied { getattr open read unlink } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=fifo_file permissive=0 + allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131 + +-#type=AVC msg=audit(YYY.9): avc: denied { getattr } for pid=9375 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=13290 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1 +-#allow pcp_pmcd_t initctl_t:fifo_file getattr; +- + #type=AVC msg=audit(XXX.9): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=0 + allow pcp_pmcd_t proc_kcore_t:file getattr; + +- +-#type=AVC msg=audit(YYY.10): avc: denied { sys_ptrace } for pid=9375 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1 +-#@PCP_CAPUSERNS_PTRACE_RULE@ +- +- +-#type=AVC msg=audit(YYY.6): avc: denied { net_admin } for pid=2335 comm="pmcd" capability=12 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1 +-#type=AVC msg=audit(YYY.7): avc: denied { sys_ptrace } for pid=15205 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 +-#type=AVC msg=audit(YYY.8): avc: denied { ipc_owner } for pid=21341 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 +-#allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_lock ipc_owner chown kill sys_resource }; + #type=AVC msg=audit(YYY.11): avc: denied { sys_chroot kill sys_resource } for pid=25873 comm="pmdalinux" capability=18 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability + #type=AVC msg=audit(YYY.87): avc: denied { chown } for pid=8999 comm="pmdasimple" capability=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability + allow pcp_pmcd_t self:capability { sys_chroot kill sys_resource ipc_lock chown }; +@@ -149,10 +125,6 @@ allow pcp_pmcd_t self:capability { sys_c + #type=AVC msg=audit(YYY.12): avc: denied { read } for pid=29112 comm="pmdalinux" dev="nsfs" ino=4026532454 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 + @PCP_NSFS_RULE@ + +-#type=AVC msg=audit(XXX.10): avc: denied { getattr read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=fifo_file permissive=0 +-# allow pcp_pmcd_t pcp_log_t:fifo_file { getattr read open }; # qa/455 +- +- + #type=AVC msg=audit(YYY.13): avc: denied { name_bind } for pid=7079 comm="pmdasimple" src=5650 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 + #type=AVC msg=audit(YYY.14): avc: denied { name_connect } for pid=29238 comm="pmcd" dest=5650 scontex =system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 + @PCP_UNRESERVED_PORT_RULE@ +@@ -160,19 +132,9 @@ allow pcp_pmcd_t self:capability { sys_c + #type=AVC msg=audit(YYY.15): avc: denied { name_connect } for pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0 + allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.prometheus + +-#type=AVC msg=audit(YYY.16): avc: denied { unix_read } for pid=14552 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0 +-#type=AVC msg=audit(YYY.17): avc: denied { getattr associate } for pid=8128 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0 +-# allow pcp_pmcd_t unconfined_t:shm { unix_read associate getattr }; +- +-#type=AVC msg=audit(YYY.18): avc: denied { read } for pid=16668 comm="pmdalogger" name="458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0 +-#type=AVC msg=audit(YYY.19): avc: denied { getattr } for pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0 +-#type=AVC msg=audit(YYY.20): avc: denied { open } for pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0 +-#allow pcp_pmcd_t user_tmp_t:fifo_file { read getattr open }; +- + #type=AVC msg=audit(YYY.21): avc: denied { execute } for pid=8648 comm="sh" name="8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0 + #type=AVC msg=audit(YYY.22): avc: denied { execute_no_trans } for pid=8648 comm="sh" path="/tmp/8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0 +- allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans }; +-@PCP_TMP_T_MAP_RULE@ ++allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ }; + + #type=AVC msg=audit(YYY.23): avc: denied { getattr } for pid=8656 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 + #type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 +@@ -187,84 +149,31 @@ allow pcp_pmcd_t hostname_exec_t:file { + #type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 + #type=AVC msg=audit(YYY.30): avc: denied { read } for pid=22090 comm="pmdaperfevent" name="events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 + #type=AVC msg=audit(YYY.31): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 +-# @PCP_TRACEFS_DIR_RULE@ ++#type=AVC msg=audit(YYY.88): avc: denied { read } for pid=2023 comm="pmdakvm" name="kvm" dev="tracefs" ino=18541 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 ++@PCP_TRACEFS_DIR_RULE@ + + #type=AVC msg=audit(YYY.32): avc: denied { read } for pid=22090 comm="pmdaperfevent" name="id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0 + #type=AVC msg=audit(YYY.33): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0 + @PCP_TRACEFS_FILE_RULE@ + +-#type=AVC msg=audit(XXX.11): avc: denied { getattr open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t gconf_home_t:dir { getattr open read search }; +- +-#type=AVC msg=audit(XXX.12): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t virt_etc_t:dir search; +- +-#type=AVC msg=audit(XXX.13): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=0 +-# allow pcp_pmcd_t virt_etc_t:file { read open }; +- +-#type=AVC msg=audit(XXX.14): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virtd_t:s0 tclass=unix_stream_socket permissive=0 +-# allow pcp_pmcd_t virtd_t:unix_stream_socket connectto; +- +- +-#type=AVC msg=audit(XXX.15): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t haproxy_var_lib_t:dir search; +- + #type=AVC msg=audit(XXX.16): avc: denied { write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=sock_file permissive=0 + allow pcp_pmcd_t haproxy_var_lib_t:sock_file write; + +-#type=AVC msg=audit(XXX.17): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_t:s0 tclass=unix_stream_socket permissive=0 +-# allow pcp_pmcd_t haproxy_t:unix_stream_socket connectto; +- +- + #type=AVC msg=audit(YYY.34): avc: denied { write } for pid=2967 comm="pmdaxfs" name="stats_clear" dev="proc" ino=87731 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file + #RHBZ1505888 + allow pcp_pmcd_t sysctl_fs_t:file write; + +-#RHBZ1515928 +-#RHBZ1449671 +-#type=AVC msg=audit(XXX.18): avc: denied { getattr open search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t nfsd_fs_t:dir { getattr open search }; +- +-#type=AVC msg=audit(XXX.19): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=file permissive=0 +-# allow pcp_pmcd_t nfsd_fs_t:file { getattr open read }; +- +- +-#RHBZ1517656 +-# @PCP_SOCK_FILE_GETATTR_RULE@ +- +-#RHBZ1517862 +-#type=AVC msg=audit(XXX.20): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t postfix_spool_t:dir read; +- +- +-# @PCP_UNCONFINED_SERVICE_RULE@ +- +-#type=AVC msg=audit(...): avc: denied { getattr } for pid=NNN comm="pmdalinux" path="/var/lib/mock" dev="dm-1" ino=917749 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=dir permissive=1 +-# @PCP_MOCK_VAR_LIB_RULE@ +- + #type=AVC msg=audit(...): avc: denied { map } for pid=NNN comm="ldconfig" path="/usr/sbin/ldconfig" dev="dm-1" ino=1052382 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 + @PCP_LDCONFIG_EXEC_MAP_RULE@ + +-#RHBZ1488116 +-#type=AVC msg=audit(XXX.21): avc: denied { unix_read associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=shm permissive=0 +-# allow pcp_pmcd_t httpd_t:shm { unix_read associate getattr }; +- +-#type=AVC msg=audit(XXX.22): avc: denied { unix_read associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=sem permissive=0 +-# allow pcp_pmcd_t httpd_t:sem { unix_read associate getattr }; +- +- + #RHBZ1545245 + #type=AVC msg=audit(XXX.23): avc: denied { write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 + allow pcp_pmcd_t sysfs_t:dir write; + +- + # pmda.bcc + #type=AVC msg=audit(XXX.24): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=lnk_file permissive=0 + allow pcp_pmcd_t modules_object_t:lnk_file read; + +-#type=AVC msg=audit(XXX.25): avc: denied { open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t hugetlbfs_t:dir { open read }; +- + #type=AVC msg=audit(XXX.26): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0 + allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read }; + +@@ -275,93 +184,29 @@ allow pcp_pmcd_t proc_mdstat_t:file { ge + #type=AVC msg=audit(YYY.36): avc: denied { unix_read } for pid=1423 comm="pmdalinux" key=-559038737 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=msgq permissive=0 + @PCP_NUMAD_RULE@ + +- + #type=AVC msg=audit(XXX.28): avc: denied { open read write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=file permissive=0 + allow pcp_pmcd_t glusterd_log_t:file { open read write }; + +-#type=AVC msg=audit(XXX.29): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t glusterd_log_t:dir { search }; +- +-#type=AVC msg=audit(XXX.30): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t glusterd_conf_t:dir { search }; +- +-#type=AVC msg=audit(XXX.31): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_t:s0 tclass=unix_stream_socket permissive=0 +-# allow pcp_pmcd_t glusterd_t:unix_stream_socket connectto; +- +-#type=AVC msg=audit(XXX.32): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t glusterd_var_lib_t:dir search; +- +- +-#RHBZ1565158, RHBZ1619383 +-#type=AVC msg=audit(XXX.33): avc: denied { assocate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mozilla_plugin_t:s0 tclass=sem permissive=0 +-# allow pcp_pmcd_t mozilla_plugin_t:sem { associate getattr unix_read }; +- +- + #pmda.bcc + #type=AVC msg=audit(XXX.34): avc: denied { execmem setrlimit ptrace } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0 + allow pcp_pmcd_t self:process { execmem setrlimit ptrace }; + +-#type=AVC msg=audit(YYY.37): avc: denied { read } for pid=16334 comm="python3" name="kallsyms" dev="proc" ino=4026532064 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1 +-#allow pcp_pmcd_t system_map_t:file { ioctl open read }; +- + #type=AVC msg=audit(XXX.35): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0 + allow pcp_pmcd_t sysctl_irq_t:dir { search }; + +- +-#RHBZ1592901 +-#type=AVC msg=audit(XXX.36): avc: denied { unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:init_t:s0 tclass=shm permissive=0 +-# allow pcp_pmcd_t init_t:shm unix_read; +- +- +-#RHBZ1594991 +-#type=AVC msg=audit(XXX.37): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpsd_t:s0 tclass=shm permissive=0 +-# allow pcp_pmcd_t gpsd_t:shm { associate getattr unix_read }; +- +- +-#type=AVC msg=audit(XXX.38): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0 +-# allow pcp_pmcd_t default_t:file getattr; +- +- +-#RHBZ1622253 +-#type=AVC msg=audit(YYY.38): avc: denied { search } for pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir +-#allow pcp_pmcd_t named_zone_t:dir search; +- +-#RHBZ1619381 +-#type=AVC msg=audit(YYY.39): avc: denied { unix_read } for pid=1726 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=shm permissive=0 +-#allow pcp_pmcd_t xdm_t:shm unix_read; +- +-#type=AVC msg=audit(XXX.39): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=sem permissive=0 +-# allow pcp_pmcd_t postgresql_t:sem { associate getattr unix_read }; +- +-#type=AVC msg=audit(XXX.40): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=shm permissive=0 +-# allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read }; +- +- +-#type=AVC msg=audit(...): avc: denied { connectto } for pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket +-#allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto; +- + #RHBZ1633211, RHBZ1693332 + @PCP_BPF_STATUS_RULE@ + + #type=AVC msg=audit(XXX.41): avc: denied { signull } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=process permissive=0 + allow pcp_pmcd_t kernel_t:process signull; + ++# pmda-bcc needs the ability to read addresses in /proc/kallsyms ++@PCP_CAP2_SYSLOG_RULE@ ++ + #RHBZ1690542 + #type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 + allow pcp_pmcd_t kernel_t:system module_request; + +-#type=AVC msg=audit(XXX.42): avc: denied { associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:xdm_t:s0 tclass=shm permissive=0 +-# allow pcp_pmcd_t xdm_t:shm { associate getattr }; +- +-#type=AVC msg=audit(XXX.43): avc: denied { getattr search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t user_home_dir_t:dir { getattr search }; +- +-#RHBZ1535522 +-#type=AVC msg=audit(YYY.40): avc: denied { search } for pid=21371 comm="pmdalinux" name=".cache" dev="dm-0" ino=11796488 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=0 +-#allow pcp_pmcd_t cache_home_t:dir search; +- +-# @PCP_WAP_PORT_RULE@ +- + # type=AVC msg=audit(YYY.83): avc: denied { execute } for pid=19060 comm="zimbraprobe" name="su" dev="dm-0" ino=26416761 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0 + #pmdazimbra + allow pcp_pmcd_t su_exec_t:file { execute }; +@@ -373,14 +218,6 @@ allow pcp_pmlogger_t kmsg_device_t:chr_f + #type=AVC msg=audit(XXX.45): avc: denied { kill } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 + allow pcp_pmlogger_t self:capability kill; + +-# @PCP_PMLOGGER_SYSTEM_STATUS_RULE@ +- +-#type=AVC msg=audit(YYY.41): avc: denied { write } for pid=18266 comm="logger" name="log" dev="devtmpfs" ino=1413 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file +-# allow pcp_pmlogger_t devlog_t:sock_file write; +- +-#type=AVC msg=audit(YYY.42): avc: denied { read } for pid=26849 comm="logger" name="log" dev="devtmpfs" ino=1389 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 +-# allow pcp_pmlogger_t devlog_t:lnk_file read; +- + # type=AVC msg=audit(YYY.43): avc: denied { sys_ptrace } for pid=21962 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability + # src/pmlogger/pmnewlog.sh + allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid }; +@@ -389,38 +226,11 @@ allow pcp_pmlogger_t self:capability { s + allow pcp_pmlogger_t unconfined_t:process signal; + + ## type=AVC msg=audit(YYY.85): avc: denied { signal } for pid=31205 comm="pmsignal" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 +-allow pcp_pmlogger_t unconfined_service_t:process signal; +- +-#type=AVC msg=audit(YYY.45): avc: denied { execute_no_trans } for pid=6760 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1051023 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0 +-# allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans; +- +-#type=AVC msg=audit(YYY.46): avc: denied { name_connect } for pid=17604 comm="pmlc" dest=4330 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:dey_sapi_port_t:s0 tclass=tcp_socket +-# allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect; +- +-#type=AVC msg=audit(YYY.47): avc: denied { connectto } for pid=18025 comm="pmprobe" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 +-# allow pcp_pmlogger_t unconfined_t:unix_stream_socket connectto; +- +-#RHBZ1488116 +-#type=AVC msg=audit(YYY.48): avc: denied { search } for pid=18056 comm="ps" name="testuser" dev="dm-0" ino=539096275 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir +-# allow pcp_pmlogger_t user_home_dir_t:dir search; +- +-#type=AVC msg=audit(XXX.46): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 +-# allow pcp_pmlogger_t user_home_t:file { read open }; ++@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@ + + #type=AVC msg=audit(XXX.68): avc: denied { setattr unlink } for pid=29153 comm="mv" name="pmlogger_check.log" dev="dm-0" ino=926794 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 + allow pcp_pmlogger_t user_tmp_t:file { setattr unlink }; + +-#RHBZ1547066 +-#type=AVC msg=audit(XXX.47): avc: denied { sendto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 +-# allow pcp_pmlogger_t kernel_t:unix_dgram_socket sendto; +- +-#type=AVC msg=audit(XXX.48): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:home_bin_t:s0 tclass=dir permissive=0 +-# allow pcp_pmlogger_t home_bin_t:dir search; +- +-#RHBZ1634205 +-#type=AVC msg=audit(YYY.49): avc: denied { search } for pid=8613 comm="ps" name=".cache" dev="dm-0" ino=1277884 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0 +-# allow pcp_pmlogger_t cache_home_t: dir search; +- + #============= pcp_pmie_t ============== + #type=AVC msg=audit(XXX.49): avc: denied { execute execute_no_trans getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 + allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read @PCP_HOSTNAME_EXEC_MAP@ }; +@@ -429,77 +239,27 @@ allow pcp_pmie_t hostname_exec_t:file { + #type=AVC msg=audit(YYY.50): avc: denied { sys_ptrace } for pid=30881 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0 + allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace }; + +-#type=AVC msg=audit(YYY.51) : avc: denied { connectto } for pid=8941 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket +-# allow pcp_pmie_t init_t:unix_stream_socket connectto; +- +-#type=AVC msg=audit(YYY.52) : avc: denied { open } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file +-#type=AVC msg=audit(YYY.53) : avc: denied { read } for pid=8939 comm=runlevel name=utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file +-#type=AVC msg=audit(YYY.54) : avc: denied { lock } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file +-# allow pcp_pmie_t initrc_var_run_t:file { lock open read }; +- +-# @PCP_PMIE_SYSTEM_STATUS_RULE@ +- +-#type=AVC msg=audit(YYY.55) : avc: denied { getattr } for pid=8870 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file +-# @PCP_SYSTEMCTL_UNIT_FILE_RULE@ +- +-#type=AVC msg=audit(YYY.56): avc: denied { search } for pid=30181 comm="pmie" name="system" dev="dm-1" ino=1182241 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=0 +-#@PCP_SYSTEMCTL_UNIT_DIR_RULE@ +- +-#type=AVC msg=audit(YYY.57) : avc: denied { read } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file +-#type=AVC msg=audit(YYY.58) : avc: denied { execute } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file +-#type=AVC msg=audit(YYY.59) : avc: denied { getattr } for pid=7004 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file +-#type=AVC msg=audit(YYY.60) : avc: denied { execute_no_trans } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file +-#type=AVC msg=audit(YYY.61) : avc: denied { open } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file +-#type=AVC msg=audit(YYY.62): avc: denied { getattr } for pid=13079 comm="which" path="/usr/bin/systemctl" dev="dm-1" ino=1078205 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0 +-# @PCP_SYSTEMCTL_EXEC_RULE@ +- +-#type=AVC msg=audit(YYY.63): avc: denied { connectto } for pid=12589 comm="pmie" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmie_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 +-# allow pcp_pmie_t unconfined_t:unix_stream_socket connectto; +- +-#audit: type=1400 audit(YYY.64): avc: denied { execute_no_trans } for pid=3703 comm=pmie_check path=/usr/bin/pmie dev=dm-0 ino=2506240 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0 +-# allow pcp_pmie_t pcp_pmie_exec_t:file execute_no_trans; +- + #RHBZ1517656 + #type=AVC msg=audit(XXX.50): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 + allow pcp_pmie_t proc_net_t:file read; + +- +-#type=AVC msg=audit(...): avc: denied { open } for pid=NNN comm="runlevel" path="/dev/kmsg" dev="devtmpfs" ino=1043 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1 +-# allow pcp_pmie_t kmsg_device_t:chr_file open; +- +-#RHBZ1533080 +-#type=AVC msg=audit(XXX.51): avc: denied { signal } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0 +-# allow pcp_pmie_t pcp_pmcd_t:process signal; +- +- +-#RHBZ1547066 +-#type=AVC msg=audit(XXX.52): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0 +-# allow pcp_pmie_t init_exec_t:file getattr; +- + #RHBZ1635394 + #type=AVC msg=audit(YYY.66): avc: denied { sys_ptrace } for pid=15683 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=cap_userns permissive=0 + @PCP_CAPUSERNS_PTRACE_RULE_PMIE@ + +-#type=AVC msg=audit(XXX.53): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 +-# allow pcp_pmie_t user_home_dir_t:dir search; +- +-#type=AVC msg=audit(XXX.54): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 +-# allow pcp_pmie_t user_home_t:file { read open }; +- +- + #RHBZ1623988 + #type=AVC msg=audit(YYY.65): avc: denied { signal } for pid=3106 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 + allow pcp_pmie_t unconfined_t:process signal; + + ## type=AVC msg=audit(YYY.86): avc: denied { signal } for pid=23951 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 +-allow pcp_pmie_t unconfined_service_t:process signal; ++@PCP_PMIE_UNCONFINED_SERVICE_RULE@ + + #============= pmda-lio ============== +-#type=AVC msg=audit(XXX.55): avc: denied { open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0 +-allow pcp_pmcd_t configfs_t:dir { open read search }; ++#type=AVC msg=audit(XXX.55): avc: denied { open read search write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0 ++allow pcp_pmcd_t configfs_t:dir { open read search write }; + +-#type=AVC msg=audit(XXX.56): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0 +-allow pcp_pmcd_t configfs_t:file { getattr open read }; ++#type=AVC msg=audit(XXX.56): avc: denied { getattr ioctl open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0 ++allow pcp_pmcd_t configfs_t:file { getattr ioctl open read }; + + #type=AVC msg=audit(XXX.57): avc: denied { getattr read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=lnk_file permissive=0 + allow pcp_pmcd_t configfs_t:lnk_file { getattr read }; +@@ -507,23 +267,6 @@ allow pcp_pmcd_t configfs_t:lnk_file { g + #type=AVC msg=audit(XXX.58): avc: denied { execute execute_no_trans getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 + allow pcp_pmcd_t ldconfig_exec_t:file { execute execute_no_trans getattr open read }; + +- +-#type=AVC msg=audit(XXX.59): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t modules_conf_t:dir { getattr open read }; +- +-#type=AVC msg=audit(XXX.60): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0 +-# allow pcp_pmcd_t modules_conf_t:file { getattr open read }; +- +-#type=AVC msg=audit(XXX.61): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0 +-# allow pcp_pmcd_t modules_object_t:dir search; +- +-#type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0 +-# allow pcp_pmcd_t modules_object_t:file { getattr open read }; +- +-#type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0 +-# allow pcp_pmcd_t saslauthd_t:unix_stream_socket connectto; +- +- + #============= pcp_pmproxy_t ============== + #type=AVC msg=audit(YYY.67) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability + allow pcp_pmproxy_t self:capability { net_admin dac_override }; +@@ -533,9 +276,6 @@ allow pcp_pmproxy_t self:capability { ne + #type=AVC msg=audit(YYY.70) : avc: denied { getattr } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file + allow pcp_pmproxy_t sysctl_net_t:file { getattr open read }; + +-#type=AVC msg=audit(YYY.71): avc: denied { search } for pid=14446 comm="pmproxy" name="net" dev="proc" ino=1168 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 +-# allow pcp_pmproxy_t sysctl_net_t:dir search; +- + #type=AVC msg=audit(YYY.72): avc: denied { read } for pid=28833 comm="pmproxy" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file + #RHBZ1517656 + allow pcp_pmproxy_t proc_net_t:file read; +@@ -545,14 +285,11 @@ allow pcp_pmproxy_t proc_net_t:file read + #type=AVC msg=audit(YYY.73): avc: denied { name_bind } for pid=13114 comm="pmlogger" src=4332 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 + @PCP_UNRESERVED_PORT_RULE_PMMGR@ + +-#type=AVC msg=audit(YYY.74): avc: denied { connectto } for pid=16715 comm="pmmgr" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 +-# allow pcp_pmmgr_t unconfined_t:unix_stream_socket connectto; + #type=AVC msg=audit(XXX.64): avc: denied { execute execute_no_trans open read getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 + allow pcp_pmmgr_t ldconfig_exec_t:file { execute execute_no_trans open read getattr }; + +-#type=AVC msg=audit(XXX.65): avc: denied { name_connect } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket permissive=0 +-# allow pcp_pmmgr_t zabbix_port_t:tcp_socket name_connect; +- ++#type=AVC msg=audit(XXX.69): avc: denied { dac_override } for pid=3767 comm="pmmgr" capability=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:system_r:pcp_pmmgr_t:s0 tclass=capability permissive=0 ++allow pcp_pmmgr_t self:capability dac_override; + + #============= pmda-smart ============== + +@@ -564,23 +301,25 @@ allow pcp_pmmgr_t ldconfig_exec_t:file { + #type=AVC msg=audit(YYY.80): avc: denied { map } for pid=8678 comm="smartctl" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1 + #type=AVC msg=audit(YYY.81): avc: denied { sys_rawio } for pid=8678 comm="smartctl" capability=17 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1 + +-allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read }; +-@PCP_FSADM_EXEC_MAP_RULE@ ++allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read @PCP_FSADM_EXEC_MAP@ }; + + #============= pmda-nvidia ============== + #type=AVC msg=audit(YYY.83): avc: denied { map } for pid=7034 comm="pmdanvidia" path="/usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0 + #type=AVC msg=audit(YYY.84): avc: denied { execute } for pid=19828 comm="pmdanvidia" path="//usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0 +-@PCP_DEFAULT_T_MAP@ ++@PCP_DEFAULT_MAP_RULE@ + + #type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0 + allow pcp_pmcd_t self:capability sys_rawio; + ++#============= pmda-rpm ============== ++#type=AVC msg=audit(YYY.89): avc: denied { map } for pid=4969 comm="pmdarpm" path="/var/lib/rpm/Name" dev="dm-0" ino=519186 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=0 ++@PCP_RPM_VAR_LIB_RULE@ ++ ++#============= pmda-libvirt ============== ++#type=AVC msg=audit(YYY.90): avc: denied { write } for pid=30922 comm="python3" name="libvirt-sock-ro" dev="tmpfs" ino=25845 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=0 ++@PCP_VIRT_VAR_RUN_RULE@ + +-#============= pmda-redis ============== +-#type=AVC msg=audit(YYY.82): avc: denied { name_connect } for pid=15299 comm="pmdaredis" dest=6379 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0 +-# allow pcp_pmcd_t redis_port_t:tcp_socket name_connect; +- +-# allow pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type ++# permit pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type + @PCP_SELINUX_MACRO_RULE@ + files_read_all_files(pcp_pmcd_t) + files_read_all_files(pcp_pmie_t) +@@ -591,14 +330,17 @@ files_read_all_files(pcp_pmwebd_t) + + allow pcp_domain file_type:fifo_file read_fifo_file_perms; + +-# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system ++# permit pcp_pmcd_t domain to read shared memory and semaphores of all domain on system + allow pcp_domain domain:shm r_sem_perms; + allow pcp_domain domain:sem r_shm_perms; + allow pcp_domain userdomain:shm r_sem_perms; + allow pcp_domain userdomain:sem r_shm_perms; + +-# allow pcp_domain stream connect to all domains ++# permit pcp_domain stream connect to all domains + allow pcp_domain domain:unix_stream_socket connectto; + +-# allow pcp_domain to connect to all ports. ++# permit pcp_domain to connect to all ports. + corenet_tcp_connect_all_ports(pcp_domain) ++ ++# all pcp_domain read access to all maps ++@PCP_MMAP_ALL@ +diff -Naurp pcp-4.3.2.orig/src/selinux/README pcp-4.3.2/src/selinux/README +--- pcp-4.3.2.orig/src/selinux/README 2019-04-09 10:48:01.000000000 +1000 ++++ pcp-4.3.2/src/selinux/README 2019-08-08 15:30:17.504036461 +1000 +@@ -55,6 +55,22 @@ rather than the singular form + + as reported by audit2allow -m. + ++Also, some of the "require" elements may be optional (not supported ++on all versions of selinux), so watch out for things like ++ ++ @PCP_TRACEFS@ ++ ++which becomes ++ ++ type tracefs_t; ++ ++or ++ ++ ++ ++and the corresponding conditional rules, like @PCP_TRACEFS_FS_RULE@, ++@PCP_TRACEFS_DIR_RULE@ and @PCP_TRACEFS_FILE_RULE@ ++ + Now go further down src/selinux/pcpupstream.te.in and add the + "allow" clause from audit2allow -m, prefixed by the full text of + the matching AVC line from audit.log as a comment, so something like: diff --git a/SPECS/pcp.spec b/SPECS/pcp.spec index c816587..291c895 100644 --- a/SPECS/pcp.spec +++ b/SPECS/pcp.spec @@ -1,6 +1,6 @@ Name: pcp Version: 4.3.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: System-level performance monitoring and performance management License: GPLv2+ and LGPLv2+ and CC-BY URL: https://pcp.io @@ -18,6 +18,8 @@ Patch0: redhat-bugzilla-1597975.patch Patch1: pmcd-pmlogger-local-context.patch Patch2: qa-fixmod.patch Patch3: redhat-bugzilla-1742051.patch +Patch4: selinux-override.patch +Patch5: selinux-policy.patch %if 0%{?fedora} >= 26 || 0%{?rhel} > 7 %global __python2 python2 @@ -30,6 +32,7 @@ Patch3: redhat-bugzilla-1742051.patch %else %global disable_selinux 1 %endif +%global version_selinux 3.13.1-249 %global disable_snmp 0 @@ -2076,13 +2079,14 @@ PCP utilities and daemons, and the PCP graphical tools. License: GPLv2+ and CC-BY Summary: Selinux policy package URL: https://pcp.io -BuildRequires: selinux-policy-devel -BuildRequires: selinux-policy-targeted +BuildRequires: selinux-policy-devel >= %{version_selinux} +BuildRequires: selinux-policy-targeted >= %{version_selinux} %if 0%{?rhel} == 5 BuildRequires: setools %else BuildRequires: setools-console %endif +Requires: selinux-policy >= %{version_selinux} Requires: policycoreutils %description selinux @@ -2101,6 +2105,8 @@ updated policy package. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %if !%{disable_python2} && 0%{?default_python} != 3 @@ -2449,15 +2455,9 @@ fi %preun pmda-oracle %{pmda_remove "$1" "oracle"} -%preun pmda-postgresql -%{pmda_remove "$1" "postgresql"} - %preun pmda-postfix %{pmda_remove "$1" "postfix"} -%preun pmda-elasticsearch -%{pmda_remove "$1" "elasticsearch"} - %if !%{disable_snmp} %preun pmda-snmp %{pmda_remove "$1" "snmp"} @@ -2493,12 +2493,6 @@ fi %preun pmda-gpsd %{pmda_remove "$1" "gpsd"} -%preun pmda-lio -%{pmda_remove "$1" "lio"} - -%preun pmda-prometheus -%{pmda_remove "$1" "prometheus"} - %preun pmda-lustre %{pmda_remove "$1" "lustre"} @@ -2517,9 +2511,6 @@ fi %preun pmda-news %{pmda_remove "$1" "news"} -%preun pmda-nfsclient -%{pmda_remove "$1" "nfsclient"} - %if !%{disable_nutcracker} %preun pmda-nutcracker %{pmda_remove "$1" "nutcracker"} @@ -2552,6 +2543,21 @@ fi %endif %if !%{disable_python2} || !%{disable_python3} +%preun pmda-elasticsearch +%{pmda_remove "$1" "elasticsearch"} + +%preun pmda-nfsclient +%{pmda_remove "$1" "nfsclient"} + +%preun pmda-postgresql +%{pmda_remove "$1" "postgresql"} + +%preun pmda-lio +%{pmda_remove "$1" "lio"} + +%preun pmda-prometheus +%{pmda_remove "$1" "prometheus"} + %preun pmda-gluster %{pmda_remove "$1" "gluster"} @@ -3056,9 +3062,6 @@ cd %files pmda-ds389 %{_pmdasdir}/ds389 -%files pmda-elasticsearch -%{_pmdasdir}/elasticsearch - %files pmda-gpfs %{_pmdasdir}/gpfs @@ -3068,12 +3071,6 @@ cd %files pmda-docker %{_pmdasdir}/docker -%files pmda-lio -%{_pmdasdir}/lio - -%files pmda-prometheus -%{_pmdasdir}/prometheus - %files pmda-lustre %{_pmdasdir}/lustre @@ -3098,9 +3095,6 @@ cd %files pmda-nginx %{_pmdasdir}/nginx -%files pmda-nfsclient -%{_pmdasdir}/nfsclient - %if !%{disable_nutcracker} %files pmda-nutcracker %{_pmdasdir}/nutcracker @@ -3115,10 +3109,6 @@ cd %files pmda-postfix %{_pmdasdir}/postfix -%files pmda-postgresql -%{_pmdasdir}/postgresql -%config(noreplace) %{_pmdasdir}/postgresql/pmdapostgresql.conf - %files pmda-redis %{_pmdasdir}/redis @@ -3151,6 +3141,22 @@ cd %endif %if !%{disable_python2} || !%{disable_python3} +%files pmda-elasticsearch +%{_pmdasdir}/elasticsearch + +%files pmda-nfsclient +%{_pmdasdir}/nfsclient + +%files pmda-postgresql +%{_pmdasdir}/postgresql +%config(noreplace) %{_pmdasdir}/postgresql/pmdapostgresql.conf + +%files pmda-lio +%{_pmdasdir}/lio + +%files pmda-prometheus +%{_pmdasdir}/prometheus + %files pmda-gluster %{_pmdasdir}/gluster @@ -3309,6 +3315,9 @@ cd %endif %changelog +* Wed Dec 11 2019 Nathan Scott - 4.3.2-4 +- Updated PCP selinux policy to resolve install failure (BZs 1777676, 1781692) + * Wed Aug 28 2019 Mark Goodwin - 4.3.2-3 - Fix memory leak in proc PMDA (BZ 1742051)