diff -Naurp pcp-4.1.0-orig/qa/1141 pcp-4.1.0/qa/1141 --- pcp-4.1.0-orig/qa/1141 2017-12-18 09:31:30.000000000 +1100 +++ pcp-4.1.0/qa/1141 2018-09-05 08:46:05.578019776 +1000 @@ -17,6 +17,8 @@ policy_name="pcpqaqaqaqa" policy_file="$PCP_VAR_DIR/selinux/pcpupstream.pp" which sedismod >/dev/null 2>&1 || _notrun "sedismod tool not installed (module disassembly)" which semodule >/dev/null 2>&1 || _notrun "semodule tool not installed" +$sudo semodule -l >/dev/null 2>&1 +[ $? -eq 0 ] || _notrun "semodule -l fails" which seinfo >/dev/null 2>&1 || _notrun "seinfo tool not installed" [ -f "$policy_file" ] || _notrun "upstream policy package not installed" #if a matching module is already installed diff -Naurp pcp-4.1.0-orig/qa/917.out.in pcp-4.1.0/qa/917.out.in --- pcp-4.1.0-orig/qa/917.out.in 2018-05-09 07:50:53.000000000 +1000 +++ pcp-4.1.0/qa/917.out.in 2018-09-05 08:46:47.973426601 +1000 @@ -16,11 +16,11 @@ decl 1: allow [pcp_pmcd_t] [sysctl_net_t] : [dir] { search }; allow [pcp_pmcd_t] [sysctl_net_t] : [file] { getattr open read }; allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans open read }; - allow [pcp_pmcd_t] [debugfs_t] : [dir] { read }; - allow [pcp_pmcd_t] [debugfs_t] : [file] { getattr ioctl open read }; + allow [pcp_pmcd_t] [debugfs_t] : [dir] { read search }; + allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write }; allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read }; allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink }; - allow [pcp_pmcd_t] self : [capability] { kill sys_ptrace net_admin chown ipc_owner sys_resource }; + allow [pcp_pmcd_t] self : [capability] { kill sys_ptrace net_admin chown ipc_lock ipc_owner sys_resource }; allow [pcp_pmcd_t] [initctl_t] : [fifo_file] { getattr }; allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr }; allow [pcp_pmcd_t] self : [cap_userns] { sys_ptrace }; @@ -36,8 +36,8 @@ decl 1: allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read }; allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount }; allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search }; - allow [pcp_pmcd_t] [tracefs_t] : [file] { append open read }; - allow [pcp_pmcd_t] [gconf_home_t] : [dir] { search }; + allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write }; + allow [pcp_pmcd_t] [gconf_home_t] : [dir] { open read search getattr }; allow [pcp_pmcd_t] [virt_etc_t] : [dir] { search }; allow [pcp_pmcd_t] [virt_etc_t] : [file] { open read }; allow [pcp_pmcd_t] [virtd_t] : [unix_stream_socket] { connectto }; @@ -55,6 +55,7 @@ decl 1: allow [pcp_pmcd_t] [httpd_t] : [shm] { unix_read associate getattr }; allow [pcp_pmcd_t] [httpd_t] : [sem] { unix_read associate getattr }; allow [pcp_pmcd_t] [sysfs_t] : [dir] { write }; + allow [pcp_pmcd_t] [modules_object_t] : [lnk_file] { read }; allow [pcp_pmcd_t] [hugetlbfs_t] : [dir] { open read }; allow [pcp_pmcd_t] [mdadm_exec_t] : [file] { execute execute_no_trans open read }; allow [pcp_pmcd_t] [proc_mdstat_t] : [file] { getattr open read }; @@ -65,6 +66,12 @@ decl 1: allow [pcp_pmcd_t] [glusterd_t] : [unix_stream_socket] { connectto }; allow [pcp_pmcd_t] [glusterd_var_lib_t] : [dir] { search }; allow [pcp_pmcd_t] [mozilla_plugin_t] : [sem] { unix_read }; + allow [pcp_pmcd_t] self : [process] { execmem setrlimit }; + allow [pcp_pmcd_t] [system_map_t] : [file] { ioctl open read }; + allow [pcp_pmcd_t] [sysctl_irq_t] : [dir] { search }; + allow [pcp_pmcd_t] [init_t] : [shm] { unix_read }; + allow [pcp_pmcd_t] [gpsd_t] : [shm] { associate getattr }; + allow [pcp_pmcd_t] [default_t] : [file] { getattr }; allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write }; allow [pcp_pmlogger_t] self : [capability] { kill }; allow [pcp_pmlogger_t] [init_t] : [system] { status }; @@ -74,10 +81,12 @@ decl 1: allow [pcp_pmlogger_t] [unconfined_t] : [process] { signal }; allow [pcp_pmlogger_t] [pcp_pmlogger_exec_t] : [file] { execute_no_trans }; allow [pcp_pmlogger_t] [dey_sapi_port_t] : [tcp_socket] { name_connect }; + allow [pcp_pmlogger_t] [unconfined_t] : [unix_stream_socket] { connectto }; allow [pcp_pmlogger_t] [user_home_dir_t] : [dir] { search }; allow [pcp_pmlogger_t] [kernel_t] : [unix_dgram_socket] { sendto }; + allow [pcp_pmlogger_t] [home_bin_t] : [dir] { search }; allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map }; - allow [pcp_pmie_t] self : [capability] { kill sys_ptrace net_admin chown }; + allow [pcp_pmie_t] self : [capability] { kill dac_override sys_ptrace net_admin chown fowner }; allow [pcp_pmie_t] [init_t] : [unix_stream_socket] { connectto }; allow [pcp_pmie_t] [initrc_var_run_t] : [file] { lock open read }; allow [pcp_pmie_t] [init_t] : [system] { status }; @@ -89,6 +98,7 @@ decl 1: allow [pcp_pmie_t] [kmsg_device_t] : [chr_file] { open }; allow [pcp_pmie_t] [pcp_pmcd_t] : [process] { signal }; allow [pcp_pmie_t] [init_exec_t] : [file] { getattr }; + allow [pcp_pmie_t] [user_home_dir_t] : [dir] { search }; allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search }; allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read }; allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr }; @@ -98,7 +108,7 @@ decl 1: allow [pcp_pmcd_t] [modules_object_t] : [dir] { search }; allow [pcp_pmcd_t] [modules_object_t] : [file] { getattr open read }; allow [pcp_pmcd_t] [saslauthd_t] : [unix_stream_socket] { connectto }; - allow [pcp_pmproxy_t] self : [capability] { net_admin }; + allow [pcp_pmproxy_t] self : [capability] { dac_override net_admin }; allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read }; allow [pcp_pmproxy_t] [sysctl_net_t] : [dir] { search }; allow [pcp_pmproxy_t] [proc_net_t] : [file] { read }; @@ -109,4 +119,5 @@ decl 1: allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read }; allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { map }; allow [pcp_pmcd_t] self : [capability] { sys_rawio }; + allow [pcp_pmcd_t] [redis_port_t] : [tcp_socket] { name_connect }; diff -Naurp pcp-4.1.0-orig/src/pmlogger/pmlogger_check.sh pcp-4.1.0/src/pmlogger/pmlogger_check.sh --- pcp-4.1.0-orig/src/pmlogger/pmlogger_check.sh 2018-06-12 20:18:14.000000000 +1000 +++ pcp-4.1.0/src/pmlogger/pmlogger_check.sh 2018-09-05 08:47:39.165710353 +1000 @@ -1,6 +1,6 @@ #! /bin/sh # -# Copyright (c) 2013-2016 Red Hat. +# Copyright (c) 2013-2016,2018 Red Hat. # Copyright (c) 1995-2000,2003 Silicon Graphics, Inc. All Rights Reserved. # # This program is free software; you can redistribute it and/or modify it @@ -160,6 +160,13 @@ then exit fi +_compress_now() +{ + # If $PCP_COMPRESSAFTER=0 in the control file(s), compress archives now. + # Invoked just before exit when this script has finished successfully. + $PCP_BINADM_DIR/pmlogger_daily -K $daily_args +} + # after argument checking, everything must be logged to ensure no mail is # accidentally sent from cron. Close stdout and stderr, then open stdout # as our logfile and redirect stderr there too. @@ -175,10 +182,13 @@ else _save_prev_file "$PROGLOG" # After argument checking, everything must be logged to ensure no mail is # accidentally sent from cron. Close stdout and stderr, then open stdout - # as our logfile and redirect stderr there too. + # as our logfile and redirect stderr there too. Create the log file with + # correct ownership first. # - # Exception is for -N where we want to see the output + # Exception ($SHOWME, above) is for -N where we want to see the output. # + touch "$PROGLOG" + chown $PCP_USER:$PCP_GROUP "$PROGLOG" >/dev/null 2>&1 exec 1>"$PROGLOG" 2>&1 fi @@ -219,11 +229,19 @@ fi if [ $STOP_PMLOGGER = true ] then - # if pmlogger has never been started, there's no work to do to stop it - [ ! -d "$PCP_TMP_DIR/pmlogger" ] && exit + # if pmlogger hasn't been started, there's no work to do to stop it + # but we still want to compress existing logs, if any + if [ ! -d "$PCP_TMP_DIR/pmlogger" ] + then + _compress_now + exit + fi $QUIETLY || $PCP_BINADM_DIR/pmpost "stop pmlogger from $prog" elif [ $START_PMLOGGER = false ] then + # if we're not going to start pmlogger, there is no work to do other + # than compress existing logs, if any. + _compress_now exit fi @@ -964,10 +982,8 @@ then fi fi -# and if $PCP_COMPRESSAFTER=0 in the control file(s), compress archives now ... -# -$PCP_BINADM_DIR/pmlogger_daily -K $daily_args - +# Prior to exiting we compress existing logs, if any. See pmlogger_daily -K +_compress_now [ -f $tmp/err ] && status=1 exit diff -Naurp pcp-4.1.0-orig/src/selinux/GNUlocaldefs pcp-4.1.0/src/selinux/GNUlocaldefs --- pcp-4.1.0-orig/src/selinux/GNUlocaldefs 2018-05-08 09:38:33.000000000 +1000 +++ pcp-4.1.0/src/selinux/GNUlocaldefs 2018-09-05 08:45:27.409553808 +1000 @@ -44,6 +44,7 @@ endif ifeq "$(PCP_SELINUX_CAP_USERNS_PTRACE)" "true" PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace\; \#pmdaproc" PCP_CAPUSERNS_PTRACE_RULE="allow pcp_pmcd_t self:cap_userns sys_ptrace\;" +PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace\;" endif ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true" @@ -56,7 +57,7 @@ ifeq "$(PCP_SELINUX_TRACEFS)" "true" PCP_TRACEFS="type tracefs_t\;" PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;" PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;" -PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { read open append }\;" +PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write }\;" endif ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true" diff -Naurp pcp-4.1.0-orig/src/selinux/GNUmakefile pcp-4.1.0/src/selinux/GNUmakefile --- pcp-4.1.0-orig/src/selinux/GNUmakefile 2018-06-04 16:09:25.000000000 +1000 +++ pcp-4.1.0/src/selinux/GNUmakefile 2018-09-05 08:45:27.409553808 +1000 @@ -51,6 +51,7 @@ $(IAM).te: $(IAM).te.in -e 's;@PCP_SYSTEMCTL_EXEC_RULE@;'$(PCP_SYSTEMCTL_EXEC_RULE)';' \ -e 's;@PCP_CAPUSERNS_PTRACE@;'$(PCP_CAPUSERNS_PTRACE)';' \ -e 's;@PCP_CAPUSERNS_PTRACE_RULE@;'$(PCP_CAPUSERNS_PTRACE_RULE)';' \ + -e 's;@PCP_CAPUSERNS_PTRACE_RULE_PMIE@;'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)';' \ -e 's;@PCP_UNRESERVED_PORT@;'$(PCP_UNRESERVED_PORT)';' \ -e 's;@PCP_UNRESERVED_PORT_RULE@;'$(PCP_UNRESERVED_PORT_RULE)';' \ -e 's;@PCP_UNRESERVED_PORT_RULE_PMMGR@;'$(PCP_UNRESERVED_PORT_RULE_PMMGR)';' \ diff -Naurp pcp-4.1.0-orig/src/selinux/pcpupstream.te.in pcp-4.1.0/src/selinux/pcpupstream.te.in --- pcp-4.1.0-orig/src/selinux/pcpupstream.te.in 2018-05-09 07:50:53.000000000 +1000 +++ pcp-4.1.0/src/selinux/pcpupstream.te.in 2018-09-05 08:45:27.410553794 +1000 @@ -29,13 +29,13 @@ require { type configfs_t; # pcp-lio type modules_conf_t; # pcp-lio type saslauthd_t; # pcp-lio - type modules_object_t; # pcp-lio + type modules_object_t; # pcp-lio, pcp.bcc @PCP_NSFS_T@ type nfsd_fs_t; #RHBZ1515928 type pcp_pmie_exec_t; # pmdasummary @PCP_SYSTEMCTL_UNIT_FILE_T@ @PCP_SYSTEMCTL_EXEC_T@ - type debugfs_t; # pmdalibvirt + type debugfs_t; # pmdalibvirt pmda.gfs2 pmda.bcc type unconfined_t; #RHBZ1443632 type devlog_t; #RHBZ1449671 @PCP_UNRESERVED_PORT@ @@ -53,6 +53,7 @@ require { @PCP_MOCK_VAR_LIB@ type ldconfig_exec_t; type httpd_t; + type redis_port_t; type zabbix_port_t; type sysfs_t; #RHBZ1545245 type hugetlbfs_t; @@ -68,12 +69,18 @@ require { type kernel_t; type mozilla_plugin_t; type fsadm_exec_t; + type tracefs_t; # pmda.gfs2 + type system_map_t; # pmda.bcc + type sysctl_irq_t; # pmda.bcc + type gpsd_t; #RHBZ1594991 + type default_t; + type home_bin_t; class sem { unix_read associate getattr }; class lnk_file { read getattr }; class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ }; class dir { add_name open read search write getattr }; class unix_stream_socket connectto; - class capability { kill sys_ptrace net_admin chown sys_chroot ipc_owner sys_resource fowner sys_rawio fsetid }; + class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid }; @PCP_CAPUSERNS_PTRACE@ class chr_file { open write }; class fifo_file { getattr read open unlink }; # qa/455 @@ -117,19 +124,18 @@ allow pcp_pmcd_t svirt_sandbox_file_t:di allow pcp_pmcd_t sysctl_net_t:dir search; allow pcp_pmcd_t sysctl_net_t:file { getattr open read }; allow pcp_pmcd_t user_home_t:file { execute execute_no_trans open read }; -allow pcp_pmcd_t debugfs_t:dir read; -allow pcp_pmcd_t debugfs_t:file { getattr ioctl open read }; +allow pcp_pmcd_t debugfs_t:dir { read search }; +allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write }; allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read }; allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131 #type=AVC msg=audit(1463754714.313:316): avc: denied { net_admin } for pid=2335 comm="pmcd" capability=12 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1 #type=AVC msg=audit(1491576442.619:1738169): avc: denied { sys_ptrace } for pid=15205 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 #type=AVC msg=audit(1498833776.957:2094): avc: denied { ipc_owner } for pid=21341 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 -allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_owner chown kill sys_resource }; +allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_lock ipc_owner chown kill sys_resource }; #type=AVC msg=audit(1491581538.561:10949): avc: denied { getattr } for pid=9375 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=13290 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1 allow pcp_pmcd_t initctl_t:fifo_file getattr; -#type=AVC msg=audit(1491581538.561:10950): avc: denied { getattr } for pid=9375 comm="pmdaproc" path="/proc/kcore" dev="proc" ino=4026532007 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=1 allow pcp_pmcd_t proc_kcore_t:file getattr; #type=AVC msg=audit(1491581538.587:10952): avc: denied { sys_ptrace } for pid=9375 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1 @@ -183,7 +189,7 @@ allow pcp_pmcd_t hostname_exec_t:file { #type=AVC msg=audit(1498845911.360:7647): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0 @PCP_TRACEFS_FILE_RULE@ -allow pcp_pmcd_t gconf_home_t:dir search; +allow pcp_pmcd_t gconf_home_t:dir { getattr open read search }; allow pcp_pmcd_t virt_etc_t:dir search; allow pcp_pmcd_t virt_etc_t:file { read open }; allow pcp_pmcd_t virtd_t:unix_stream_socket connectto; @@ -222,7 +228,8 @@ allow pcp_pmcd_t httpd_t:sem { unix_read #RHBZ1545245 allow pcp_pmcd_t sysfs_t:dir write; -#allow pcp_pmcd_t modules_object_t:lnk_file read; +# pmda.bcc +allow pcp_pmcd_t modules_object_t:lnk_file read; allow pcp_pmcd_t hugetlbfs_t:dir { open read }; allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read }; @@ -241,6 +248,21 @@ allow pcp_pmcd_t glusterd_var_lib_t:dir #RHBZ1565158 allow pcp_pmcd_t mozilla_plugin_t:sem unix_read; +#pmda.bcc +allow pcp_pmcd_t self:process { execmem setrlimit }; +#type=AVC msg=audit(1530448398.992:231): avc: denied { read } for pid=16334 comm="python3" name="kallsyms" dev="proc" ino=4026532064 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1 +allow pcp_pmcd_t system_map_t:file { ioctl open read }; + +allow pcp_pmcd_t sysctl_irq_t:dir { search }; + +#RHBZ1592901 +allow pcp_pmcd_t init_t:shm unix_read; + +#RHBZ1594991 +allow pcp_pmcd_t gpsd_t:shm { associate getattr }; + +allow pcp_pmcd_t default_t:file getattr; + #============= pcp_pmlogger_t ============== allow pcp_pmlogger_t kmsg_device_t:chr_file { open write }; allow pcp_pmlogger_t self:capability kill; @@ -257,7 +279,6 @@ allow pcp_pmlogger_t devlog_t:lnk_file r allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid }; ## type=AVC msg=audit(04/19/2017 16:57:40.120:11020) : avc: denied { signal } for pid=28414 comm=pmsignal scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process - allow pcp_pmlogger_t unconfined_t:process signal; #type=AVC msg=audit(1503321970.417:261): avc: denied { execute_no_trans } for pid=6760 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1051023 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0 @@ -266,17 +287,23 @@ allow pcp_pmlogger_t pcp_pmlogger_exec_t #type=AVC msg=audit(1493690261.688:262): avc: denied { name_connect } for pid=17604 comm="pmlc" dest=4330 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:dey_sapi_port_t:s0 tclass=tcp_socket allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect; +#type=AVC msg=audit(1533291591.092:495620): avc: denied { connectto } for pid=18025 comm="pmprobe" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 +allow pcp_pmlogger_t unconfined_t:unix_stream_socket connectto; + #RHBZ1488116 #type=AVC msg=audit(1504516526.487:431): avc: denied { search } for pid=18056 comm="ps" name="testuser" dev="dm-0" ino=539096275 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir allow pcp_pmlogger_t user_home_dir_t:dir search; - #RHBZ1547066 allow pcp_pmlogger_t kernel_t:unix_dgram_socket sendto; + +allow pcp_pmlogger_t home_bin_t:dir search; + + #============= pcp_pmie_t ============== allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read @PCP_HOSTNAME_EXEC_MAP@ }; #type=AVC msg=audit(1498847682.537:15753): avc: denied { sys_ptrace } for pid=30881 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0 -allow pcp_pmie_t self:capability { chown kill net_admin sys_ptrace }; +allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace }; #type=AVC msg=audit(04/05/2017 10:24:45.084:351) : avc: denied { connectto } for pid=8941 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket allow pcp_pmie_t init_t:unix_stream_socket connectto; @@ -319,6 +346,9 @@ allow pcp_pmie_t pcp_pmcd_t:process sign #RHBZ1547066 allow pcp_pmie_t init_exec_t:file getattr; + +@PCP_CAPUSERNS_PTRACE_RULE_PMIE@ +allow pcp_pmie_t user_home_dir_t:dir search; #============= pmda-lio ============== allow pcp_pmcd_t configfs_t:dir { open read search }; allow pcp_pmcd_t configfs_t:file { getattr open read }; @@ -336,7 +366,7 @@ allow pcp_pmcd_t saslauthd_t:unix_stream #============= pcp_pmproxy_t ============== #type=AVC msg=audit(04/05/2017 09:54:13.548:281) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability -allow pcp_pmproxy_t self:capability net_admin; +allow pcp_pmproxy_t self:capability { net_admin dac_override }; #type=AVC msg=audit(04/05/2017 09:54:13.548:281) : avc: denied { read } for pid=6669 comm=pmproxy name=disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file #type=AVC msg=audit(04/05/2017 10:24:45.771:356) : avc: denied { open } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file @@ -373,3 +403,7 @@ allow pcp_pmmgr_t zabbix_port_t:tcp_sock allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read }; @PCP_FSADM_EXEC_MAP_RULE@ allow pcp_pmcd_t self:capability sys_rawio; + +#============= pmda-redis ============== +#type=AVC msg=audit(1533183330.416:362367): avc: denied { name_connect } for pid=15299 comm="pmdaredis" dest=6379 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0 +allow pcp_pmcd_t redis_port_t:tcp_socket name_connect; diff -Naurp pcp-4.1.0-orig/src/selinux/README pcp-4.1.0/src/selinux/README --- pcp-4.1.0-orig/src/selinux/README 2017-11-29 14:33:29.000000000 +1100 +++ pcp-4.1.0/src/selinux/README 2018-09-05 08:45:27.410553794 +1000 @@ -102,14 +102,16 @@ In general usage, the only portion we ca SELinux manages a list of 'contexts' and how contexts are allowed to interact with each other. -For example, it makes sense that the 'pcp_pmlogger_t' context to be -able to read and write to pcp log files with a 'pcp_log_t' context. -However, it doesn't make sense for 'pcp_pmlogger_t' to write to apache +For example, it makes sense for the 'pcp_pmlogger_t' context to be +able to read and write to PCP log files with a 'pcp_log_t' context. +However, it doesn't make sense for 'pcp_pmlogger_t' to write to Apache log files, which have a 'httpd_log_t' context. -Where this can be of focus for PCP is various pmda's gathering metrics from domains. And, using the example -with apache earlier, many of these files have different contexts. We need to document these accesses and -why they're required, building our own policy package for inclusion in the running policy. +Where this can be of focus for PCP is various PMDA's gathering metrics +from domains. And, using the example with Apache earlier, many of these +files have different contexts. We need to document these accesses and +why they're required, building our own policy package for inclusion in +the running policy. == Testing == @@ -143,4 +145,4 @@ http://equivocation.org/node/24 http://equivocation.org/node/27 http://equivocation.org/node/42 http://equivocation.org/node/51 -http://equivocation.org/node/52 \ No newline at end of file +http://equivocation.org/node/52