diff -Naurp pcp-4.3.2.orig/qa/917 pcp-4.3.2/qa/917 --- pcp-4.3.2.orig/qa/917 2018-11-27 10:46:07.000000000 +1100 +++ pcp-4.3.2/qa/917 2020-04-01 15:30:14.402025885 +1100 @@ -21,6 +21,7 @@ which seinfo >/dev/null 2>&1 || _notrun ( seinfo -t 2>&1 | grep 'Default policy search failed: No such file or directory' >/dev/null ) && _notrun "seinfo version bad: can't load default policy" [ -f "$policy_file" ] || _notrun "upstream policy package not installed" $sudo semodule -l 2>&1 | grep -q $policy_name || _notrun "upstream policy package not loaded" +[ -f $PCP_INC_DIR/builddefs ] || _notrun "No $PCP_INC_DIR/builddefs" seinfo --common >/dev/null 2>&1 if [ $? -eq 0 ] @@ -29,30 +30,6 @@ then else common_flag="" fi -nsfs_t=`seinfo -t | grep 'nsfs_t$'` -docker_var_lib_t="" -svirt_lxc_net_t=`seinfo -t | grep "svirt_lxc_net_t$"` -systemd_systemctl_exec_t=`seinfo -t | grep "systemd_systemctl_exec_t$"` -systemd_systemctl_unit_file_t=`seinfo -t | grep "systemd_unit_file_t$"` -systemd_systemctl_unit_dir_t=`seinfo -t | grep "systemd_unit_dir_t$"` -devlog_t=`seinfo -t | grep "devlog_t$"` -init_t=`seinfo -t | grep "init_t$"` -cap_userns_ptrace=`seinfo --class=cap_userns $common_flag -x 2>&1 | grep "sys_ptrace$"` -unreserved_port_t=`seinfo -t | grep "unreserved_port_t$"` -tracefs_t=`seinfo -t | grep "tracefs_t$"` -class_status=`seinfo -x --class=system $common_flag | grep "status$"` -sock_file_getattr=`seinfo -x --class=sock_file $common_flag | grep "getattr$"` -hostname_exec_map_a=`seinfo -x --class=file $common_flag | grep "map$"` -hostname_exec_map_b=`seinfo -x --common=file 2>/dev/null | grep "map$"` -#container_runtime_tmpfs_t=`seinfo -t | grep "container_runtime_tmpfs_t$"` -container_runtime_tmpfs_t="" -unconfined_service=`seinfo -t | grep "unconfined_service_t$"` -mock_var_lib=`seinfo -t | grep "mock_var_lib_t$"` -numad_context=`seinfo -t | grep "numad_t$"` -bpf_class=`seinfo -x --class=bpf $common_flag 2>/dev/null | grep "class bpf"` -wap_port_type=`seinfo -t | grep "wap_wsp_port_t$"` -non_auth_type=`seinfo -a | grep "non_auth_file_type$"` -non_security_type=`seinfo -a | grep "non_security_file_type$"` _filter_semodule() { @@ -69,98 +46,132 @@ _filter_sedismod1() } _filter_outfile() { - awk -v container_t="$container_runtime_t" \ - -v container_tmpfs_t="$container_runtime_tmpfs_t" \ - -v nsfs_t="$nsfs_t" \ - -v docker_var_lib_t="$docker_var_lib_t" \ - -v svirt_lxc_net_t="$svirt_lxc_net_t" \ - -v class_status="$class_status" \ - -v systemd_systemctl_exec_t="$systemd_systemctl_exec_t" \ - -v systemd_systemctl_unit_file_t="$systemd_systemctl_unit_file_t" \ - -v systemd_systemctl_unit_dir_t="$systemd_systemctl_unit_dir_t" \ - -v devlog_t="$devlog_t" \ - -v init_t="$init_t" \ - -v cap_userns_ptrace="$cap_userns_ptrace" \ - -v unreserved_port_t="$unreserved_port_t" \ - -v tracefs_t="$tracefs_t" \ - -v sock_file_getattr="$sock_file_getattr" \ - -v hostname_exec_map_a="$hostname_exec_map_a" \ - -v hostname_exec_map_b="$hostname_exec_map_b" \ - -v unconfined_service="$unconfined_service" \ - -v mock_var_lib="$mock_var_lib" \ - -v numad_context="$numad_context" \ - -v bpf_class="$bpf_class" \ - -v wap_port_type="$wap_port_type" \ - -v non_auth_type="$non_auth_type" \ - -v non_security_type="$non_security_type" \ - '{ - if (container_t == "" && /container_runtime_t /) - !/container_runtime_t / ; - else if (container_tmpfs_t == "" && /container_runtime_tmpfs_t/) - !/container_runtime_tmpfs_t/ ; - else if (nsfs_t == "" && /nsfs_t/) - !/nsfs_t/ ; - else if (docker_var_lib_t == "" && /docker_var_lib_t/) - !/docker_var_lib_t/ ; - else if (svirt_lxc_net_t == "" && /svirt_lxc_net_t/) - !/svirt_lxc_net_t/ ; - else if (systemd_systemctl_exec_t == "" && /systemd_systemctl_exec_t/) - !/systemd_systemctl_exec_t/ ; - else if (systemd_systemctl_unit_file_t == "" && /systemd_unit_file_t/) - !/systemd_unit_file_t/ ; - else if (systemd_systemctl_unit_dir_t == "" && /systemd_unit_dir_t/) - !/systemd_unit_dir_t/ ; - else if (devlog_t == "" && /devlog_t/) - !/devlog_t/ ; - else if (init_t == "" && /init_t/) - !/init_t/ ; - else if (cap_userns_ptrace == "" && /cap_userns/) - !/cap_userns/ ; - else if (unreserved_port_t == "" && /unreserved_port_t/) - !/unreserved_port_t/ ; - else if (tracefs_t == "" && /tracefs_t/) - !/tracefs_t/ ; - else if (class_status == "" && /system.*status/) - !/system.*status/ ; - else if (sock_file_getattr == "" && /gpmctl_t/) - !/gpmctl_t/ ; - else if (unconfined_service == "" && /unconfined_service_t/) - !/unconfined_service_t/ ; - else if (mock_var_lib == "" && /mock_var_lib_t/) - !/mock_var_lib_t/ ; - else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /ldconfig_exec_t/ && /map/) - !/ldconfig_exec_t/ ; - else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /pcp_tmp_t/ && /map/) - !/pcp_tmp_t/ ; - else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /fsadm_exec_t/ && /map/) - !/fsadm_exec_t/ ; - else if (numad_context == "" && /numda_t/) - !/numad_t/ ; - else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /hostname_exec_t/ && /pcp_pmie_t/) { - printf(" allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };\n") - } - else if (bpf_class == "" && /bpf/) - !/bpf/ ; - else if (wap_port_type == "" && /wap_wsp_port_t/) - !/wap_wsp_port_t/ ; - else if (non_auth_type == "" && /non_auth_file_type/) - !/non_auth_file_type/ ; - else if (non_auth_type != "" && /non_security_file_type/) - !/non_security_file_type/ ; - else - print; - }' + sed -f $tmp.sed } status=1 # failure is the default! $sudo rm -rf $tmp $tmp.* $seq.full trap "cd $here; $sudo rm -rf $tmp $tmp.*; exit \$status" 0 1 2 3 15 -echo > $seq.full -cat $seq.out.in | _filter_outfile > $seq.out +# use logic from configure.ac to build list of optional types that are +# not present on this system and need to be culled from $seq.out.in +# +seinfo -t >$tmp.types +echo '/^#/d' >$tmp.sed +echo '/^!/s// /' >>$tmp.sed +for type in container_runtime_t nsfs_t docker_var_lib_t unreserved_port_t \ + tracefs_t unconfined_service_t numad_t rpm_var_lib_t \ + virt_var_run_t +do + if grep "^[ ][ ]*$type\$" $tmp.types >/dev/null + then + : + else + echo "/^ *$type\$/d" >>$tmp.sed + # and some missing types => associated rules need to be culled or + # edited + # + case "$type" + in + nsfs_t) + echo '/allow \[pcp_pmcd_t] \[nsfs_t]/d' >>$tmp.sed + ;; + unreserved_port_t) + echo '/allow \[pcp_pmcd_t] \[unreserved_port_t]/d' >>$tmp.sed + echo '/allow \[pcp_pmmgr_t] \[unreserved_port_t]/d' >>$tmp.sed + ;; + tracefs_t) + echo '/allow \[pcp_pmcd_t] \[tracefs_t]/d' >>$tmp.sed + ;; + unconfined_service_t) + echo '/allow \[pcp_pmlogger_t] \[unconfined_service_t]/d' >>$tmp.sed + echo '/allow \[pcp_pmie_t] \[unconfined_service_t]/d' >>$tmp.sed + ;; + numad_t) + echo '/allow \[pcp_pmcd_t] \[numad_t]/d' >>$tmp.sed + ;; + rpm_var_lib_t) + echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t]/d' >>$tmp.sed + ;; + virt_var_run_t) + echo '/allow \[pcp_pmcd_t] \[virt_var_run_t]/d' >>$tmp.sed + ;; + esac + fi +done + +# now the class ones ... also using logic from configure.ac +# +if seinfo -x --class=cap_userns $common_flag 2>&1 \ + | grep '^[ ][ ]*sys_ptrace$' >/dev/null +then + : +else + echo '/allow \[pcp_pmie_t] .*\[cap_userns]/d' >>$tmp.sed +fi + +if seinfo -x --class=file $common_flag 2>&1 \ + | grep '^[ ][ ]*map$' >/dev/null +then + : +elif seinfo -x --common file 2>&1 \ + | grep '^[ ][ ]*map$' >/dev/null +then + : +else + # if no map, need to cull these one as map is the only permission + # + echo '/allow \[pcp_pmcd_t] \[ldconfig_exec_t] : \[file].* map/d' >>$tmp.sed + echo '/allow \[pcp_pmcd_t] \[rpm_var_lib_t] : \[file].* map/d' >>$tmp.sed + echo '/allow \[pcp_pmcd_t] \[default_t] : \[file].* map/d' >>$tmp.sed + # strip "map" from permissions for others + # + echo '/\[pcp_pmie_exec_t] .*\[file]/s/ map / /' >>$tmp.sed + echo '/\[pcp_pmcd_t] .*\[file]/s/ map / /' >>$tmp.sed + echo '/\[pcp_pmie_t] .*\[hostname_exec_t]/s/ map / /' >>$tmp.sed + echo '/\[pcp_pmcd_t] \[fsadm_exec_t]/s/ map / /' >>$tmp.sed + echo '/\[pcp_pmcd_t] \[default_t]/s/ map / /' >>$tmp.sed + echo '/\[pcp_pmcd_t] \[pcp_pmie_exec_t]/s/ map / /' >>$tmp.sed + echo '/\[pcp_pmcd_t] \[pcp_tmp_t]/s/ map / /' >>$tmp.sed +fi + +if seinfo -x --class=bpf $common_flag 2>&1 \ + | grep '^[ ][ ]*class bpf$' >/dev/null +then + : +else + echo '/allow \[pcp_pmcd_t] .*\[bpf]/d' >>$tmp.sed +fi + +if seinfo -x --class=capability2 $common_flag 2>&1 \ + | grep '^[ ][ ]*syslog$' >/dev/null +then + : +else + echo '/allow \[pcp_pmcd_t\] .*\[capability2\]/d' >>$tmp.sed +fi + +if seinfo -a 2>&1 \ + | grep '^[ ][ ]*non_auth_file_type$' >/dev/null +then + echo '/allow \[pcp_domain] \[non_security_file_type]/d' >>$tmp.sed +else + echo '/allow \[pcp_domain] \[non_auth_file_type]/d' >>$tmp.sed +fi + +if grep 'PCP_SELINUX_FILES_MMAP_ALL_FILES[ ]*=[ ]*true' $PCP_INC_DIR/builddefs >/dev/null 2>&1 +then + : +else + echo '/allow \[pcp_domain] \[file_type] : \[file].* map/d' >>$tmp.sed +fi + +cat $tmp.sed >>$seq.full + +cat $seq.out.in | _filter_outfile >$seq.out echo "full policy modules list on the system" -$sudo semodule -l >> $seq.full +$sudo semodule -l >>$seq.full echo "Checking that pcpupstream policy module has been properly installed" awk '{ print $1 }' $seq.full | grep "pcpupstream$" | _filter_semodule # real QA test starts here diff -Naurp pcp-4.3.2.orig/qa/917.out.in pcp-4.3.2/qa/917.out.in --- pcp-4.3.2.orig/qa/917.out.in 2019-04-26 09:57:42.000000000 +1000 +++ pcp-4.3.2/qa/917.out.in 2020-04-01 15:30:37.069633323 +1100 @@ -3,6 +3,17 @@ full policy modules list on the system Checking that pcpupstream policy module has been properly installed pcpupstream Checking policies. +# Notes +# - lines begining # are comments for PCP QA developers and will be +# stripped when creating 917.out from this file +# - lines beginning ! in the block below are places where the rules +# are conditional, and the 917 script needs to mimic the configuration +# changes that are driven from configure.ac (see the pcp_selinux_* +# macro settings), and src/selinux/GNUlocaldefs (see the PCP_* macro +# settings) +# - otherwise lines in the block below come from +# src/selinux/pcpupstream.te.in (after macro substitution) +# --- begin avrule block --- decl 1: allow [init_t] [pcp_log_t] : [dir] { read }; @@ -14,60 +25,65 @@ decl 1: allow [init_t] [system_cronjob_t] : [dbus] { send_msg }; allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans }; allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write }; - allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read }; +! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map }; allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink }; allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr }; allow [pcp_pmcd_t] self : [capability] { kill chown sys_chroot ipc_lock sys_resource }; - allow [pcp_pmcd_t] [nsfs_t] : [file] { open read }; - allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect }; - allow [pcp_pmcd_t] [svirt_lxc_net_t] : [dir] { open read search }; +! allow [pcp_pmcd_t] [nsfs_t] : [file] { open read }; +! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect }; allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect }; - allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans }; - allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { map }; +! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map }; allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read }; - allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount }; - allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write }; +! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount }; +! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search }; +! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write }; allow [pcp_pmcd_t] [haproxy_var_lib_t] : [sock_file] { write }; allow [pcp_pmcd_t] [sysctl_fs_t] : [file] { write }; - allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map }; +! allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map }; allow [pcp_pmcd_t] [sysfs_t] : [dir] { write }; allow [pcp_pmcd_t] [modules_object_t] : [lnk_file] { read }; allow [pcp_pmcd_t] [mdadm_exec_t] : [file] { execute execute_no_trans open read }; + allow [pcp_pmcd_t] [ndc_exec_t] : [file] { execute }; allow [pcp_pmcd_t] [proc_mdstat_t] : [file] { getattr open read }; - allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read }; +! allow [pcp_pmcd_t] [numad_t] : [msgq] { unix_read }; allow [pcp_pmcd_t] [glusterd_log_t] : [file] { open read write }; allow [pcp_pmcd_t] self : [process] { execmem setrlimit ptrace }; allow [pcp_pmcd_t] [sysctl_irq_t] : [dir] { search }; - allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run }; +! allow [pcp_pmcd_t] self : [bpf] { map_create map_read map_write prog_load prog_run }; allow [pcp_pmcd_t] [kernel_t] : [process] { signull }; +! allow [pcp_pmcd_t] self : [capability2] { syslog }; allow [pcp_pmcd_t] [kernel_t] : [system] { module_request }; allow [pcp_pmcd_t] [su_exec_t] : [file] { execute }; allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write }; - allow [pcp_pmlogger_t] self : [capability] { kill }; - allow [pcp_pmlogger_t] self : [capability] { sys_ptrace fowner fsetid }; + allow [pcp_pmlogger_t] self : [capability] { kill sys_ptrace fowner fsetid }; allow [pcp_pmlogger_t] [unconfined_t] : [process] { signal }; allow [pcp_pmlogger_t] [unconfined_service_t] : [process] { signal }; allow [pcp_pmlogger_t] [user_tmp_t] : [file] { setattr unlink }; - allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map }; + allow [pcp_pmlogger_t] [setfiles_exec_t] : [file] { execute }; +! allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map }; allow [pcp_pmie_t] self : [capability] { kill dac_override sys_ptrace net_admin chown fowner }; allow [pcp_pmie_t] [proc_net_t] : [file] { read }; - allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace }; +! allow [pcp_pmie_t] self : [cap_userns] { sys_ptrace }; allow [pcp_pmie_t] [unconfined_t] : [process] { signal }; allow [pcp_pmie_t] [unconfined_service_t] : [process] { signal }; - allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search }; - allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read }; + allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search write }; + allow [pcp_pmcd_t] [configfs_t] : [file] { getattr ioctl open read }; allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr }; allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read }; allow [pcp_pmproxy_t] self : [capability] { dac_override net_admin }; allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read }; allow [pcp_pmproxy_t] [proc_net_t] : [file] { read }; - allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind }; +! allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind }; allow [pcp_pmmgr_t] [ldconfig_exec_t] : [file] { execute execute_no_trans getattr open read }; - allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read }; - allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { map }; - allow [pcp_pmcd_t] [default_t] : [file] { execute map }; + allow [pcp_pmmgr_t] self : [capability] { dac_override }; +! allow [pcp_pmcd_t] [fsadm_exec_t] : [file] { execute execute_no_trans getattr open read map }; +! allow [pcp_pmcd_t] [default_t] : [file] { execute map }; allow [pcp_pmcd_t] self : [capability] { sys_rawio }; - allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl }; +! allow [pcp_pmcd_t] [rpm_var_lib_t] : [file] { map }; +! allow [pcp_pmcd_t] [virt_var_run_t] : [sock_file] { write }; +! allow [pcp_domain] [non_auth_file_type] : [dir] { open read search getattr lock ioctl }; +! allow [pcp_domain] [non_security_file_type] : [dir] { open search getattr }; +! allow [pcp_domain] [non_security_file_type] : [dir] { open read search getattr lock ioctl }; allow [pcp_pmcd_t] [file_type] : [dir] { open read search getattr lock ioctl }; allow [pcp_pmcd_t] [file_type] : [dir] { open search getattr }; allow [pcp_pmcd_t] [file_type] : [file] { getattr ioctl lock open read }; @@ -93,6 +109,7 @@ decl 1: allow [pcp_domain] [userdomain] : [sem] { unix_read associate getattr read }; allow [pcp_domain] [domain] : [unix_stream_socket] { connectto }; allow [pcp_domain] [port_type] : [tcp_socket] { name_connect }; +! allow [pcp_domain] [file_type] : [file] { map }; --- begin avrule block --- decl 2: allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; diff -Naurp pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python --- pcp-4.3.2.orig/src/pmdas/bcc/modules/pcpbcc.python 2018-09-18 16:41:15.000000000 +1000 +++ pcp-4.3.2/src/pmdas/bcc/modules/pcpbcc.python 2020-04-01 15:30:14.403025868 +1100 @@ -323,6 +323,11 @@ class PCPBCCBase(object): else: return "0.5.0" + @staticmethod + def bcc_version_tuple(): + """ Returns BCC version as an int tuple (for comparisons) """ + return tuple(map(int, PCPBCCBase.bcc_version().split('.'))) + def perf_buffer_poller(self): """ BPF poller """ try: @@ -365,7 +370,10 @@ class PCPBCCBase(object): Compat: bcc < 0.6.0 source: https://github.com/iovisor/bcc/blame/master/src/python/bcc/__init__.py """ - return self.get_syscall_prefix() + name + if hasattr(self.bpf, 'get_syscall_fnname'): + return self.bpf.get_syscall_fnname(name) + else: + return self.get_syscall_prefix() + name def get_kprobe_functions(self, event_re): """ diff -Naurp pcp-4.3.2.orig/src/selinux/GNUlocaldefs pcp-4.3.2/src/selinux/GNUlocaldefs --- pcp-4.3.2.orig/src/selinux/GNUlocaldefs 2019-04-16 11:43:42.000000000 +1000 +++ pcp-4.3.2/src/selinux/GNUlocaldefs 2020-04-01 15:30:14.403025868 +1100 @@ -1,101 +1,68 @@ ifeq "$(PCP_SELINUX_CONTAINER_RUNTIME)" "true" -PCP_CONTAINER_RUNTIME_T="type container_runtime_t\;" -PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto\;" +PCP_CONTAINER_RUNTIME_T="type container_runtime_t;" +PCP_CONTAINER_RUNTIME_RULE="allow pcp_pmcd_t container_runtime_t:unix_stream_socket connectto;" else PCP_CONTAINER_RUNTIME_RULE="" PCP_CONTAINER_RUNTIME_T="" endif ifeq "$(PCP_SELINUX_NSFS)" "true" -PCP_NSFS_T="type nsfs_t\; \# filesys.used" -PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open }\;" +PCP_NSFS_T="type nsfs_t; \# filesys.used" +PCP_NSFS_RULE="allow pcp_pmcd_t nsfs_t:file { read open };" endif ifeq "$(PCP_SELINUX_DOCKER_VAR_LIB)" "true" -PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t\;" -PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search\;" +PCP_DOCKER_VAR_LIB_T="type docker_var_lib_t;" +PCP_DOCKER_VAR_LIB_RULE="allow pcp_pmcd_t docker_var_lib_t:dir search;" else PCP_DOCKER_VAR_LIB_T="" PCP_DOCKER_VAR_LIB_RULE="" endif -ifeq "$(PCP_SELINUX_SVIRT_LXC_NET)" "true" -PCP_SVIRT_LXC_NET_T="type svirt_lxc_net_t\;" -PCP_SVIRT_LXC_NET_RULE="allow pcp_pmcd_t svirt_lxc_net_t:dir { open read search }\;" -endif - -ifeq "$(PCP_SELINUX_CLASS_STATUS)" "true" -PCP_CLASS_STATUS="class system status\;" -PCP_PMLOGGER_SYSTEM_STATUS_RULE="allow pcp_pmlogger_t init_t:system status\;" -PCP_PMIE_SYSTEM_STATUS_RULE="allow pcp_pmie_t init_t:system status\;" -endif - -ifeq "$(PCP_SELINUX_SYSTEMD_UNIT_FILE)" "true" -PCP_SYSTEMCTL_UNIT_FILE_T="type systemd_unit_file_t\;" -PCP_SYSTEMCTL_UNIT_FILE_RULE="allow pcp_pmie_t systemd_unit_file_t:file getattr\;" -PCP_SYSTEMCTL_UNIT_DIR_RULE="allow pcp_pmie_t systemd_unit_file_t:dir search\;" -endif - -ifeq "$(PCP_SELINUX_SYSTEMD_EXEC)" "true" -PCP_SYSTEMCTL_EXEC_T="type systemd_systemctl_exec_t\;" -PCP_SYSTEMCTL_EXEC_RULE="allow pcp_pmie_t systemd_systemctl_exec_t:file { execute execute_no_trans open read getattr }\;" -endif - ifeq "$(PCP_SELINUX_CAP_USERNS_PTRACE)" "true" -PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace\; \#pmdaproc" -PCP_CAPUSERNS_PTRACE_RULE="allow pcp_pmcd_t self:cap_userns sys_ptrace\;" -PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace\;" +PCP_CAPUSERNS_PTRACE="class cap_userns sys_ptrace; \# pmdaproc" +PCP_CAPUSERNS_PTRACE_RULE_PMIE="allow pcp_pmie_t self:cap_userns sys_ptrace;" endif ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true" -PCP_UNRESERVED_PORT="type unreserved_port_t\;" -PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect }\;" -PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind\;" +PCP_UNRESERVED_PORT="type unreserved_port_t;" +PCP_UNRESERVED_PORT_RULE="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect };" +PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind;" endif ifeq "$(PCP_SELINUX_TRACEFS)" "true" -PCP_TRACEFS="type tracefs_t\;" -PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;" -PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;" -PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write }\;" -endif - -ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true" -PCP_SOCK_FILE_GETATTR="class sock_file getattr\;" -PCP_SOCK_FILE_GETATTR_RULE="allow pcp_pmcd_t gpmctl_t:sock_file getattr\;" +PCP_TRACEFS="type tracefs_t;" +PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount;" +PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open };" +PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { getattr read open append write };" endif ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true" -PCP_HOSTNAME_EXEC_MAP=" map " -PCP_TMP_T_MAP_RULE="allow pcp_pmcd_t pcp_tmp_t:file map\;" -PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map\;" -PCP_FSADM_EXEC_MAP_RULE="allow pcp_pmcd_t fsadm_exec_t:file map\;" -PCP_DEFAULT_T_MAP="allow pcp_pmcd_t default_t:file { map execute }\;" +PCP_HOSTNAME_EXEC_MAP="map" +PCP_TMP_MAP="map" +PCP_FSADM_EXEC_MAP="map" +PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map;" +PCP_DEFAULT_MAP_RULE="allow pcp_pmcd_t default_t:file { map execute };" endif -ifeq "$(PCP_SELINUX_MOCK)" "true" -PCP_MOCK_VAR_LIB="type mock_var_lib_t\;" -PCP_MOCK_VAR_LIB_RULE="allow pcp_pmcd_t mock_var_lib_t:dir getattr\;" +ifeq "$(PCP_SELINUX_FILES_MMAP_ALL_FILES)" "true" +PCP_MMAP_ALL="files_mmap_all_files(pcp_domain);" endif ifeq "$(PCP_SELINUX_UNCONFINED)" "true" -PCP_UNCONFINED_SERVICE="type unconfined_service_t\;" -PCP_UNCONFINED_SERVICE_RULE="allow pcp_pmcd_t unconfined_service_t:sem { associate getattr }\;" +PCP_UNCONFINED_SERVICE="type unconfined_service_t;" +PCP_PMLOGGER_UNCONFINED_SERVICE_RULE="allow pcp_pmlogger_t unconfined_service_t:process signal;" +PCP_PMIE_UNCONFINED_SERVICE_RULE="allow pcp_pmie_t unconfined_service_t:process signal;" endif ifeq "$(PCP_SELINUX_NUMAD)" "true" -PCP_NUMAD_CONTEXT="type numad_t\;" -PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read\;" +PCP_NUMAD_CONTEXT="type numad_t;" +PCP_NUMAD_RULE="allow pcp_pmcd_t numad_t:msgq unix_read;" endif ifeq "$(PCP_SELINUX_BPF_STATUS)" "true" -PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run }\;" -PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run }\;" -endif - -ifeq "$(PCP_SELINUX_WAP_PORT)" "true" -PCP_WAP_PORT_CONTEXT="type wap_wsp_port_t\;" -PCP_WAP_PORT_RULE="allow pcp_pmcd_t wap_wsp_port_t:tcp_socket name_connect\;" +PCP_BPF_STATUS_CLASS="class bpf { map_create map_read map_write prog_load prog_run };" +PCP_BPF_STATUS_RULE="allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run };" endif ifeq "$(PCP_SELINUX_FILES_LIST_NON_AUTH_DIRS)" "true" @@ -103,3 +70,24 @@ PCP_SELINUX_MACRO_RULE="files_list_non_a else PCP_SELINUX_MACRO_RULE="files_list_non_security\(pcp_domain\)" endif + +# need both type rpm_var_lib_t and permission map for this one +# +PCP_RPM_VAR_LIB_T="" +PCP_RPM_VAR_LIB_RULE="" +ifeq "$(PCP_SELINUX_RPM_VAR_LIB)" "true" +ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true" +PCP_RPM_VAR_LIB_T="type rpm_var_lib_t; \# pmdarpm" +PCP_RPM_VAR_LIB_RULE="allow pcp_pmcd_t rpm_var_lib_t:file map;" +endif +endif + +ifeq "$(PCP_SELINUX_VIRT_VAR_RUN)" "true" +PCP_VIRT_VAR_RUN_T="type virt_var_run_t; \# pmdalibvirt" +PCP_VIRT_VAR_RUN_RULE="allow pcp_pmcd_t virt_var_run_t:sock_file write;" +endif + +ifeq "$(PCP_SELINUX_CAP2_SYSLOG)" "true" +PCP_CAP2_SYSLOG_CLASS="class capability2 { syslog };" +PCP_CAP2_SYSLOG_RULE="allow pcp_pmcd_t self:capability2 syslog;" +endif diff -Naurp pcp-4.3.2.orig/src/selinux/GNUmakefile pcp-4.3.2/src/selinux/GNUmakefile --- pcp-4.3.2.orig/src/selinux/GNUmakefile 2019-03-07 08:26:45.000000000 +1100 +++ pcp-4.3.2/src/selinux/GNUmakefile 2020-04-01 15:30:14.404025851 +1100 @@ -33,51 +33,43 @@ build-me: $(IAM).te selinux-setup.sh $(IAM).te: $(IAM).te.in $(SED) <$< >$@ \ - -e 's;@PCP_CONTAINER_RUNTIME_T@;'$(PCP_CONTAINER_RUNTIME_T)';' \ - -e 's;@PCP_CONTAINER_RUNTIME_RULE@;'$(PCP_CONTAINER_RUNTIME_RULE)';' \ - -e 's;@PCP_NSFS_T@;'$(PCP_NSFS_T)';' \ - -e 's;@PCP_NSFS_RULE@;'$(PCP_NSFS_RULE)';' \ - -e 's;@PCP_DOCKER_VAR_LIB_T@;'$(PCP_DOCKER_VAR_LIB_T)';' \ - -e 's;@PCP_DOCKER_VAR_LIB_RULE@;'$(PCP_DOCKER_VAR_LIB_RULE)';' \ - -e 's;@PCP_CLASS_STATUS@;'$(PCP_CLASS_STATUS)';' \ - -e 's;@PCP_PMLOGGER_SYSTEM_STATUS_RULE@;'$(PCP_PMLOGGER_SYSTEM_STATUS_RULE)';' \ - -e 's;@PCP_PMIE_SYSTEM_STATUS_RULE@;'$(PCP_PMIE_SYSTEM_STATUS_RULE)';' \ - -e 's;@PCP_SVIRT_LXC_NET_T@;'$(PCP_SVIRT_LXC_NET_T)';' \ - -e 's;@PCP_SVIRT_LXC_NET_RULE@;'$(PCP_SVIRT_LXC_NET_RULE)';' \ - -e 's;@PCP_SYSTEMCTL_UNIT_FILE_T@;'$(PCP_SYSTEMCTL_UNIT_FILE_T)';' \ - -e 's;@PCP_SYSTEMCTL_UNIT_FILE_RULE@;'$(PCP_SYSTEMCTL_UNIT_FILE_RULE)';' \ - -e 's;@PCP_SYSTEMCTL_UNIT_DIR_RULE@;'$(PCP_SYSTEMCTL_UNIT_DIR_RULE)';' \ - -e 's;@PCP_SYSTEMCTL_EXEC_T@;'$(PCP_SYSTEMCTL_EXEC_T)';' \ - -e 's;@PCP_SYSTEMCTL_EXEC_RULE@;'$(PCP_SYSTEMCTL_EXEC_RULE)';' \ - -e 's;@PCP_CAPUSERNS_PTRACE@;'$(PCP_CAPUSERNS_PTRACE)';' \ - -e 's;@PCP_CAPUSERNS_PTRACE_RULE@;'$(PCP_CAPUSERNS_PTRACE_RULE)';' \ - -e 's;@PCP_CAPUSERNS_PTRACE_RULE_PMIE@;'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)';' \ - -e 's;@PCP_UNRESERVED_PORT@;'$(PCP_UNRESERVED_PORT)';' \ - -e 's;@PCP_UNRESERVED_PORT_RULE@;'$(PCP_UNRESERVED_PORT_RULE)';' \ - -e 's;@PCP_UNRESERVED_PORT_RULE_PMMGR@;'$(PCP_UNRESERVED_PORT_RULE_PMMGR)';' \ - -e 's;@PCP_TRACEFS@;'$(PCP_TRACEFS)';' \ - -e 's;@PCP_TRACEFS_FS_RULE@;'$(PCP_TRACEFS_FS_RULE)';' \ - -e 's;@PCP_TRACEFS_DIR_RULE@;'$(PCP_TRACEFS_DIR_RULE)';' \ - -e 's;@PCP_TRACEFS_FILE_RULE@;'$(PCP_TRACEFS_FILE_RULE)';' \ - -e 's;@PCP_SOCK_FILE_GETATTR@;'$(PCP_SOCK_FILE_GETATTR)';' \ - -e 's;@PCP_SOCK_FILE_GETATTR_RULE@;'$(PCP_SOCK_FILE_GETATTR_RULE)';' \ - -e 's;@PCP_HOSTNAME_EXEC_MAP@;'$(PCP_HOSTNAME_EXEC_MAP)';' \ - -e 's;@PCP_TMP_T_MAP_RULE@;'$(PCP_TMP_T_MAP_RULE)';' \ - -e 's;@PCP_DEFAULT_T_MAP@;'$(PCP_DEFAULT_T_MAP)';' \ - -e 's;@PCP_LDCONFIG_EXEC_MAP_RULE@;'$(PCP_LDCONFIG_EXEC_MAP_RULE)';' \ - -e 's;@PCP_MOCK_VAR_LIB@;'$(PCP_MOCK_VAR_LIB)';' \ - -e 's;@PCP_MOCK_VAR_LIB_RULE@;'$(PCP_MOCK_VAR_LIB_RULE)';' \ - -e 's;@PCP_UNCONFINED_SERVICE@;'$(PCP_UNCONFINED_SERVICE)';' \ - -e 's;@PCP_UNCONFINED_SERVICE_RULE@;'$(PCP_UNCONFINED_SERVICE_RULE)';' \ - -e 's;@PCP_NUMAD_CONTEXT@;'$(PCP_NUMAD_CONTEXT)';' \ - -e 's;@PCP_NUMAD_RULE@;'$(PCP_NUMAD_RULE)';' \ - -e 's;@PCP_FSADM_EXEC_MAP_RULE@;'$(PCP_FSADM_EXEC_MAP_RULE)';' \ - -e 's;@PCP_BPF_STATUS_CLASS@;'$(PCP_BPF_STATUS_CLASS)';' \ - -e 's;@PCP_BPF_STATUS_RULE@;'$(PCP_BPF_STATUS_RULE)';' \ - -e 's;@PCP_WAP_PORT_CONTEXT@;'$(PCP_WAP_PORT_CONTEXT)';' \ - -e 's;@PCP_WAP_PORT_RULE@;'$(PCP_WAP_PORT_RULE)';' \ - -e 's;@PCP_SELINUX_MACRO_RULE@;'$(PCP_SELINUX_MACRO_RULE)';' \ - -e 's;@PACKAGE_VERSION@;'$(PACKAGE_VERSION)';' \ + -e 's+@PCP_CONTAINER_RUNTIME_T@+'$(PCP_CONTAINER_RUNTIME_T)'+' \ + -e 's+@PCP_CONTAINER_RUNTIME_RULE@+'$(PCP_CONTAINER_RUNTIME_RULE)'+' \ + -e 's+@PCP_NSFS_T@+'$(PCP_NSFS_T)'+' \ + -e 's+@PCP_NSFS_RULE@+'$(PCP_NSFS_RULE)'+' \ + -e 's+@PCP_DOCKER_VAR_LIB_T@+'$(PCP_DOCKER_VAR_LIB_T)'+' \ + -e 's+@PCP_DOCKER_VAR_LIB_RULE@+'$(PCP_DOCKER_VAR_LIB_RULE)'+' \ + -e 's+@PCP_CAPUSERNS_PTRACE@+'$(PCP_CAPUSERNS_PTRACE)'+' \ + -e 's+@PCP_CAPUSERNS_PTRACE_RULE_PMIE@+'$(PCP_CAPUSERNS_PTRACE_RULE_PMIE)'+' \ + -e 's+@PCP_UNRESERVED_PORT@+'$(PCP_UNRESERVED_PORT)'+' \ + -e 's+@PCP_UNRESERVED_PORT_RULE@+'$(PCP_UNRESERVED_PORT_RULE)'+' \ + -e 's+@PCP_UNRESERVED_PORT_RULE_PMMGR@+'$(PCP_UNRESERVED_PORT_RULE_PMMGR)'+' \ + -e 's+@PCP_TRACEFS@+'$(PCP_TRACEFS)'+' \ + -e 's+@PCP_TRACEFS_FS_RULE@+'$(PCP_TRACEFS_FS_RULE)'+' \ + -e 's+@PCP_TRACEFS_DIR_RULE@+'$(PCP_TRACEFS_DIR_RULE)'+' \ + -e 's+@PCP_TRACEFS_FILE_RULE@+'$(PCP_TRACEFS_FILE_RULE)'+' \ + -e 's+@PCP_HOSTNAME_EXEC_MAP@+'$(PCP_HOSTNAME_EXEC_MAP)'+' \ + -e 's+@PCP_TMP_MAP@+'$(PCP_TMP_MAP)'+' \ + -e 's+@PCP_DEFAULT_MAP_RULE@+'$(PCP_DEFAULT_MAP_RULE)'+' \ + -e 's+@PCP_LDCONFIG_EXEC_MAP_RULE@+'$(PCP_LDCONFIG_EXEC_MAP_RULE)'+' \ + -e 's+@PCP_UNCONFINED_SERVICE@+'$(PCP_UNCONFINED_SERVICE)'+' \ + -e 's+@PCP_UNCONFINED_SERVICE_RULE@+'$(PCP_UNCONFINED_SERVICE_RULE)'+' \ + -e 's+@PCP_PMIE_UNCONFINED_SERVICE_RULE@+'$(PCP_PMIE_UNCONFINED_SERVICE_RULE)'+' \ + -e 's+@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@+'$(PCP_PMLOGGER_UNCONFINED_SERVICE_RULE)'+' \ + -e 's+@PCP_NUMAD_CONTEXT@+'$(PCP_NUMAD_CONTEXT)'+' \ + -e 's+@PCP_NUMAD_RULE@+'$(PCP_NUMAD_RULE)'+' \ + -e 's+@PCP_FSADM_EXEC_MAP@+'$(PCP_FSADM_EXEC_MAP)'+' \ + -e 's+@PCP_MMAP_ALL@+'$(PCP_MMAP_ALL)'+' \ + -e 's+@PCP_BPF_STATUS_CLASS@+'$(PCP_BPF_STATUS_CLASS)'+' \ + -e 's+@PCP_BPF_STATUS_RULE@+'$(PCP_BPF_STATUS_RULE)'+' \ + -e 's+@PCP_RPM_VAR_LIB_T@+'$(PCP_RPM_VAR_LIB_T)'+' \ + -e 's+@PCP_RPM_VAR_LIB_RULE@+'$(PCP_RPM_VAR_LIB_RULE)'+' \ + -e 's+@PCP_VIRT_VAR_RUN_T@+'$(PCP_VIRT_VAR_RUN_T)'+' \ + -e 's+@PCP_VIRT_VAR_RUN_RULE@+'$(PCP_VIRT_VAR_RUN_RULE)'+' \ + -e 's+@PCP_CAP2_SYSLOG_CLASS@+'$(PCP_CAP2_SYSLOG_CLASS)'+' \ + -e 's+@PCP_CAP2_SYSLOG_RULE@+'$(PCP_CAP2_SYSLOG_RULE)'+' \ + -e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \ + -e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \ # END make -f /usr/share/selinux/devel/Makefile diff -Naurp pcp-4.3.2.orig/src/selinux/pcpupstream.te.in pcp-4.3.2/src/selinux/pcpupstream.te.in --- pcp-4.3.2.orig/src/selinux/pcpupstream.te.in 2019-04-26 09:34:21.000000000 +1000 +++ pcp-4.3.2/src/selinux/pcpupstream.te.in 2020-04-01 15:30:37.069633323 +1100 @@ -9,6 +9,7 @@ require { type tmp_t; type init_t; type default_t; + type gpmctl_t; type pcp_pmlogger_t; type pcp_pmlogger_exec_t; type pcp_var_lib_t; @@ -33,13 +34,15 @@ require { type sysctl_fs_t; #RHBZ1505888 type sysfs_t; #RHBZ1545245 type modules_object_t; # pcp.lio, pcp.bcc + type setfiles_exec_t; type mdadm_exec_t; + type ndc_exec_t; type proc_mdstat_t; @PCP_NUMAD_CONTEXT@ type glusterd_log_t; type sysctl_irq_t; #pmda.bcc type unconfined_t; #RHBZ1443632 - type unconfined_service_t; + @PCP_UNCONFINED_SERVICE@ type configfs_t; #pcp.lio type ldconfig_exec_t; type sysctl_net_t; @@ -49,19 +52,20 @@ require { type kmsg_device_t; type proc_kcore_t; type su_exec_t; + @PCP_RPM_VAR_LIB_T@ + @PCP_VIRT_VAR_RUN_T@ class sem { unix_read associate getattr read }; class lnk_file { read getattr }; class file { append create execute execute_no_trans getattr setattr ioctl lock open read write unlink @PCP_HOSTNAME_EXEC_MAP@ }; class dir { add_name open read search write getattr lock ioctl }; class unix_stream_socket connectto; class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid }; + @PCP_CAP2_SYSLOG_CLASS@ @PCP_CAPUSERNS_PTRACE@ class chr_file { open write }; class fifo_file { getattr read open unlink lock ioctl }; # qa/455 class process { signull signal execmem setrlimit ptrace }; #RHBZ1443632 - class sock_file write; #RHBZ1449671 - @PCP_SOCK_FILE_GETATTR@ - @PCP_CLASS_STATUS@ + class sock_file { getattr write }; #RHBZ1449671, RHBZ1449671 class tcp_socket { name_bind name_connect }; class shm { unix_read associate getattr read }; class filesystem mount; @@ -98,49 +102,24 @@ allow init_t system_cronjob_t:dbus send_ #============= pcp_pmcd_t ============== -#type=AVC msg=audit(XXX.1): avc: denied { open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:svirt_sandbox_file_t:s0 tclass=dir permissive=0 -#allow pcp_pmcd_t svirt_sandbox_file_t:dir { open read search }; - -#@PCP_SVIRT_LXC_NET_RULE@ - -#type=AVC msg=audit(XXX.2): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 -#allow pcp_pmcd_t sysctl_net_t:dir search; - -#SYN AVC for testing -#type=AVC msg=audit(XXX.3): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 -#allow pcp_pmcd_t sysctl_net_t:file { getattr open read }; #SYN AVC for testing #type=AVC msg=audit(XXX.4): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 allow pcp_pmcd_t user_home_t:file { execute execute_no_trans }; -#type=AVC msg=audit(XXX.5): avc: denied { read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t debugfs_t:dir { read search }; - #type=AVC msg=audit(XXX.6): avc: denied { append getattr ioctl open read write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0 allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write }; #type=AVC msg=audit(XXX.7): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0 -allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read }; +#type=AVC msg=audit(XXX.68): avc: denied { map } for pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0 +allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read @PCP_HOSTNAME_EXEC_MAP@ }; #type=AVC msg=audit(XXX.8): avc: denied { getattr open read unlink } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=fifo_file permissive=0 allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131 -#type=AVC msg=audit(YYY.9): avc: denied { getattr } for pid=9375 comm="pmdaproc" path="/run/systemd/initctl/fifo" dev="tmpfs" ino=13290 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file permissive=1 -#allow pcp_pmcd_t initctl_t:fifo_file getattr; - #type=AVC msg=audit(XXX.9): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=0 allow pcp_pmcd_t proc_kcore_t:file getattr; - -#type=AVC msg=audit(YYY.10): avc: denied { sys_ptrace } for pid=9375 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1 -#@PCP_CAPUSERNS_PTRACE_RULE@ - - -#type=AVC msg=audit(YYY.6): avc: denied { net_admin } for pid=2335 comm="pmcd" capability=12 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1 -#type=AVC msg=audit(YYY.7): avc: denied { sys_ptrace } for pid=15205 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 -#type=AVC msg=audit(YYY.8): avc: denied { ipc_owner } for pid=21341 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0 -#allow pcp_pmcd_t self:capability { net_admin sys_ptrace ipc_lock ipc_owner chown kill sys_resource }; #type=AVC msg=audit(YYY.11): avc: denied { sys_chroot kill sys_resource } for pid=25873 comm="pmdalinux" capability=18 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability #type=AVC msg=audit(YYY.87): avc: denied { chown } for pid=8999 comm="pmdasimple" capability=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability allow pcp_pmcd_t self:capability { sys_chroot kill sys_resource ipc_lock chown }; @@ -149,10 +128,6 @@ allow pcp_pmcd_t self:capability { sys_c #type=AVC msg=audit(YYY.12): avc: denied { read } for pid=29112 comm="pmdalinux" dev="nsfs" ino=4026532454 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 @PCP_NSFS_RULE@ -#type=AVC msg=audit(XXX.10): avc: denied { getattr read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=fifo_file permissive=0 -# allow pcp_pmcd_t pcp_log_t:fifo_file { getattr read open }; # qa/455 - - #type=AVC msg=audit(YYY.13): avc: denied { name_bind } for pid=7079 comm="pmdasimple" src=5650 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 #type=AVC msg=audit(YYY.14): avc: denied { name_connect } for pid=29238 comm="pmcd" dest=5650 scontex =system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 @PCP_UNRESERVED_PORT_RULE@ @@ -160,19 +135,9 @@ allow pcp_pmcd_t self:capability { sys_c #type=AVC msg=audit(YYY.15): avc: denied { name_connect } for pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0 allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.prometheus -#type=AVC msg=audit(YYY.16): avc: denied { unix_read } for pid=14552 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0 -#type=AVC msg=audit(YYY.17): avc: denied { getattr associate } for pid=8128 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0 -# allow pcp_pmcd_t unconfined_t:shm { unix_read associate getattr }; - -#type=AVC msg=audit(YYY.18): avc: denied { read } for pid=16668 comm="pmdalogger" name="458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0 -#type=AVC msg=audit(YYY.19): avc: denied { getattr } for pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0 -#type=AVC msg=audit(YYY.20): avc: denied { open } for pid=16668 comm="pmdalogger" path="/tmp/458-16195.fifo" dev="tmpfs" ino=56008 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=fifo_file permissive=0 -#allow pcp_pmcd_t user_tmp_t:fifo_file { read getattr open }; - #type=AVC msg=audit(YYY.21): avc: denied { execute } for pid=8648 comm="sh" name="8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0 #type=AVC msg=audit(YYY.22): avc: denied { execute_no_trans } for pid=8648 comm="sh" path="/tmp/8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0 - allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans }; -@PCP_TMP_T_MAP_RULE@ +allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ }; #type=AVC msg=audit(YYY.23): avc: denied { getattr } for pid=8656 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 #type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 @@ -187,87 +152,39 @@ allow pcp_pmcd_t hostname_exec_t:file { #type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 #type=AVC msg=audit(YYY.30): avc: denied { read } for pid=22090 comm="pmdaperfevent" name="events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 #type=AVC msg=audit(YYY.31): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 -# @PCP_TRACEFS_DIR_RULE@ +#type=AVC msg=audit(YYY.88): avc: denied { read } for pid=2023 comm="pmdakvm" name="kvm" dev="tracefs" ino=18541 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 +@PCP_TRACEFS_DIR_RULE@ #type=AVC msg=audit(YYY.32): avc: denied { read } for pid=22090 comm="pmdaperfevent" name="id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0 #type=AVC msg=audit(YYY.33): avc: denied { open } for pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0 @PCP_TRACEFS_FILE_RULE@ -#type=AVC msg=audit(XXX.11): avc: denied { getattr open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t gconf_home_t:dir { getattr open read search }; - -#type=AVC msg=audit(XXX.12): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t virt_etc_t:dir search; - -#type=AVC msg=audit(XXX.13): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_etc_t:s0 tclass=file permissive=0 -# allow pcp_pmcd_t virt_etc_t:file { read open }; - -#type=AVC msg=audit(XXX.14): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virtd_t:s0 tclass=unix_stream_socket permissive=0 -# allow pcp_pmcd_t virtd_t:unix_stream_socket connectto; - - -#type=AVC msg=audit(XXX.15): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t haproxy_var_lib_t:dir search; +#type=AVC msg=audit(YYY.37): avc: denied { getattr } for pid=YYYY comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=19750 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1 +allow pcp_pmcd_t gpmctl_t:sock_file getattr; #type=AVC msg=audit(XXX.16): avc: denied { write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=sock_file permissive=0 allow pcp_pmcd_t haproxy_var_lib_t:sock_file write; -#type=AVC msg=audit(XXX.17): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_t:s0 tclass=unix_stream_socket permissive=0 -# allow pcp_pmcd_t haproxy_t:unix_stream_socket connectto; - - #type=AVC msg=audit(YYY.34): avc: denied { write } for pid=2967 comm="pmdaxfs" name="stats_clear" dev="proc" ino=87731 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file #RHBZ1505888 allow pcp_pmcd_t sysctl_fs_t:file write; -#RHBZ1515928 -#RHBZ1449671 -#type=AVC msg=audit(XXX.18): avc: denied { getattr open search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t nfsd_fs_t:dir { getattr open search }; - -#type=AVC msg=audit(XXX.19): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=file permissive=0 -# allow pcp_pmcd_t nfsd_fs_t:file { getattr open read }; - - -#RHBZ1517656 -# @PCP_SOCK_FILE_GETATTR_RULE@ - -#RHBZ1517862 -#type=AVC msg=audit(XXX.20): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t postfix_spool_t:dir read; - - -# @PCP_UNCONFINED_SERVICE_RULE@ - -#type=AVC msg=audit(...): avc: denied { getattr } for pid=NNN comm="pmdalinux" path="/var/lib/mock" dev="dm-1" ino=917749 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=dir permissive=1 -# @PCP_MOCK_VAR_LIB_RULE@ - #type=AVC msg=audit(...): avc: denied { map } for pid=NNN comm="ldconfig" path="/usr/sbin/ldconfig" dev="dm-1" ino=1052382 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 @PCP_LDCONFIG_EXEC_MAP_RULE@ -#RHBZ1488116 -#type=AVC msg=audit(XXX.21): avc: denied { unix_read associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=shm permissive=0 -# allow pcp_pmcd_t httpd_t:shm { unix_read associate getattr }; - -#type=AVC msg=audit(XXX.22): avc: denied { unix_read associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=sem permissive=0 -# allow pcp_pmcd_t httpd_t:sem { unix_read associate getattr }; - - #RHBZ1545245 #type=AVC msg=audit(XXX.23): avc: denied { write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 allow pcp_pmcd_t sysfs_t:dir write; - # pmda.bcc #type=AVC msg=audit(XXX.24): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=lnk_file permissive=0 allow pcp_pmcd_t modules_object_t:lnk_file read; -#type=AVC msg=audit(XXX.25): avc: denied { open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t hugetlbfs_t:dir { open read }; - #type=AVC msg=audit(XXX.26): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0 allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read }; +allow pcp_pmcd_t ndc_exec_t:file execute; + #type=AVC msg=audit(XXX.27): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=0 allow pcp_pmcd_t proc_mdstat_t:file { getattr open read }; @@ -275,93 +192,29 @@ allow pcp_pmcd_t proc_mdstat_t:file { ge #type=AVC msg=audit(YYY.36): avc: denied { unix_read } for pid=1423 comm="pmdalinux" key=-559038737 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=msgq permissive=0 @PCP_NUMAD_RULE@ - #type=AVC msg=audit(XXX.28): avc: denied { open read write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=file permissive=0 allow pcp_pmcd_t glusterd_log_t:file { open read write }; -#type=AVC msg=audit(XXX.29): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t glusterd_log_t:dir { search }; - -#type=AVC msg=audit(XXX.30): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t glusterd_conf_t:dir { search }; - -#type=AVC msg=audit(XXX.31): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_t:s0 tclass=unix_stream_socket permissive=0 -# allow pcp_pmcd_t glusterd_t:unix_stream_socket connectto; - -#type=AVC msg=audit(XXX.32): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t glusterd_var_lib_t:dir search; - - -#RHBZ1565158, RHBZ1619383 -#type=AVC msg=audit(XXX.33): avc: denied { assocate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mozilla_plugin_t:s0 tclass=sem permissive=0 -# allow pcp_pmcd_t mozilla_plugin_t:sem { associate getattr unix_read }; - - #pmda.bcc #type=AVC msg=audit(XXX.34): avc: denied { execmem setrlimit ptrace } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0 allow pcp_pmcd_t self:process { execmem setrlimit ptrace }; -#type=AVC msg=audit(YYY.37): avc: denied { read } for pid=16334 comm="python3" name="kallsyms" dev="proc" ino=4026532064 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:system_map_t:s0 tclass=file permissive=1 -#allow pcp_pmcd_t system_map_t:file { ioctl open read }; - #type=AVC msg=audit(XXX.35): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0 allow pcp_pmcd_t sysctl_irq_t:dir { search }; - -#RHBZ1592901 -#type=AVC msg=audit(XXX.36): avc: denied { unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:init_t:s0 tclass=shm permissive=0 -# allow pcp_pmcd_t init_t:shm unix_read; - - -#RHBZ1594991 -#type=AVC msg=audit(XXX.37): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpsd_t:s0 tclass=shm permissive=0 -# allow pcp_pmcd_t gpsd_t:shm { associate getattr unix_read }; - - -#type=AVC msg=audit(XXX.38): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0 -# allow pcp_pmcd_t default_t:file getattr; - - -#RHBZ1622253 -#type=AVC msg=audit(YYY.38): avc: denied { search } for pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir -#allow pcp_pmcd_t named_zone_t:dir search; - -#RHBZ1619381 -#type=AVC msg=audit(YYY.39): avc: denied { unix_read } for pid=1726 comm="pmdalinux" key=0 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=shm permissive=0 -#allow pcp_pmcd_t xdm_t:shm unix_read; - -#type=AVC msg=audit(XXX.39): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=sem permissive=0 -# allow pcp_pmcd_t postgresql_t:sem { associate getattr unix_read }; - -#type=AVC msg=audit(XXX.40): avc: denied { associate getattr unix_read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postgresql_t:s0 tclass=shm permissive=0 -# allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read }; - - -#type=AVC msg=audit(...): avc: denied { connectto } for pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket -#allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto; - #RHBZ1633211, RHBZ1693332 @PCP_BPF_STATUS_RULE@ #type=AVC msg=audit(XXX.41): avc: denied { signull } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=process permissive=0 allow pcp_pmcd_t kernel_t:process signull; +# pmda-bcc needs the ability to read addresses in /proc/kallsyms +@PCP_CAP2_SYSLOG_RULE@ + #RHBZ1690542 #type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 allow pcp_pmcd_t kernel_t:system module_request; -#type=AVC msg=audit(XXX.42): avc: denied { associate getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:xdm_t:s0 tclass=shm permissive=0 -# allow pcp_pmcd_t xdm_t:shm { associate getattr }; - -#type=AVC msg=audit(XXX.43): avc: denied { getattr search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t user_home_dir_t:dir { getattr search }; - -#RHBZ1535522 -#type=AVC msg=audit(YYY.40): avc: denied { search } for pid=21371 comm="pmdalinux" name=".cache" dev="dm-0" ino=11796488 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=0 -#allow pcp_pmcd_t cache_home_t:dir search; - -# @PCP_WAP_PORT_RULE@ - # type=AVC msg=audit(YYY.83): avc: denied { execute } for pid=19060 comm="zimbraprobe" name="su" dev="dm-0" ino=26416761 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0 #pmdazimbra allow pcp_pmcd_t su_exec_t:file { execute }; @@ -370,56 +223,21 @@ allow pcp_pmcd_t su_exec_t:file { execut #type=AVC msg=audit(XXX.44): avc: denied { open write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0 allow pcp_pmlogger_t kmsg_device_t:chr_file { open write }; -#type=AVC msg=audit(XXX.45): avc: denied { kill } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 -allow pcp_pmlogger_t self:capability kill; - -# @PCP_PMLOGGER_SYSTEM_STATUS_RULE@ - -#type=AVC msg=audit(YYY.41): avc: denied { write } for pid=18266 comm="logger" name="log" dev="devtmpfs" ino=1413 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file -# allow pcp_pmlogger_t devlog_t:sock_file write; - -#type=AVC msg=audit(YYY.42): avc: denied { read } for pid=26849 comm="logger" name="log" dev="devtmpfs" ino=1389 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 -# allow pcp_pmlogger_t devlog_t:lnk_file read; - # type=AVC msg=audit(YYY.43): avc: denied { sys_ptrace } for pid=21962 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability -# src/pmlogger/pmnewlog.sh -allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid }; +#type=AVC msg=audit(XXX.45): avc: denied { kill } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0 +allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid kill }; ## type=AVC msg=audit(YYY.44) : avc: denied { signal } for pid=28414 comm=pmsignal scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process allow pcp_pmlogger_t unconfined_t:process signal; ## type=AVC msg=audit(YYY.85): avc: denied { signal } for pid=31205 comm="pmsignal" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 -allow pcp_pmlogger_t unconfined_service_t:process signal; - -#type=AVC msg=audit(YYY.45): avc: denied { execute_no_trans } for pid=6760 comm="pmlogger_check" path="/usr/bin/pmlogger" dev="dm-1" ino=1051023 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_exec_t:s0 tclass=file permissive=0 -# allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans; - -#type=AVC msg=audit(YYY.46): avc: denied { name_connect } for pid=17604 comm="pmlc" dest=4330 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:dey_sapi_port_t:s0 tclass=tcp_socket -# allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect; - -#type=AVC msg=audit(YYY.47): avc: denied { connectto } for pid=18025 comm="pmprobe" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 -# allow pcp_pmlogger_t unconfined_t:unix_stream_socket connectto; - -#RHBZ1488116 -#type=AVC msg=audit(YYY.48): avc: denied { search } for pid=18056 comm="ps" name="testuser" dev="dm-0" ino=539096275 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir -# allow pcp_pmlogger_t user_home_dir_t:dir search; - -#type=AVC msg=audit(XXX.46): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 -# allow pcp_pmlogger_t user_home_t:file { read open }; +@PCP_PMLOGGER_UNCONFINED_SERVICE_RULE@ #type=AVC msg=audit(XXX.68): avc: denied { setattr unlink } for pid=29153 comm="mv" name="pmlogger_check.log" dev="dm-0" ino=926794 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 allow pcp_pmlogger_t user_tmp_t:file { setattr unlink }; -#RHBZ1547066 -#type=AVC msg=audit(XXX.47): avc: denied { sendto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 -# allow pcp_pmlogger_t kernel_t:unix_dgram_socket sendto; - -#type=AVC msg=audit(XXX.48): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:home_bin_t:s0 tclass=dir permissive=0 -# allow pcp_pmlogger_t home_bin_t:dir search; - -#RHBZ1634205 -#type=AVC msg=audit(YYY.49): avc: denied { search } for pid=8613 comm="ps" name=".cache" dev="dm-0" ino=1277884 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0 -# allow pcp_pmlogger_t cache_home_t: dir search; +#type=AVC msg=audit(XXX.72): avc: denied { execute } for pid=9634 comm="pmlogger_daily" name="setfiles" dev="dm-0" ino=34500334 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 +allow pcp_pmlogger_t setfiles_exec_t:file execute; #============= pcp_pmie_t ============== #type=AVC msg=audit(XXX.49): avc: denied { execute execute_no_trans getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 @@ -429,77 +247,27 @@ allow pcp_pmie_t hostname_exec_t:file { #type=AVC msg=audit(YYY.50): avc: denied { sys_ptrace } for pid=30881 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0 allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace }; -#type=AVC msg=audit(YYY.51) : avc: denied { connectto } for pid=8941 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket -# allow pcp_pmie_t init_t:unix_stream_socket connectto; - -#type=AVC msg=audit(YYY.52) : avc: denied { open } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file -#type=AVC msg=audit(YYY.53) : avc: denied { read } for pid=8939 comm=runlevel name=utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file -#type=AVC msg=audit(YYY.54) : avc: denied { lock } for pid=8939 comm=runlevel path=/run/utmp dev="tmpfs" ino=12392 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file -# allow pcp_pmie_t initrc_var_run_t:file { lock open read }; - -# @PCP_PMIE_SYSTEM_STATUS_RULE@ - -#type=AVC msg=audit(YYY.55) : avc: denied { getattr } for pid=8870 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file -# @PCP_SYSTEMCTL_UNIT_FILE_RULE@ - -#type=AVC msg=audit(YYY.56): avc: denied { search } for pid=30181 comm="pmie" name="system" dev="dm-1" ino=1182241 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir permissive=0 -#@PCP_SYSTEMCTL_UNIT_DIR_RULE@ - -#type=AVC msg=audit(YYY.57) : avc: denied { read } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file -#type=AVC msg=audit(YYY.58) : avc: denied { execute } for pid=7073 comm=pmie name=systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file -#type=AVC msg=audit(YYY.59) : avc: denied { getattr } for pid=7004 comm=pmie path=/usr/lib/systemd/system/pmie.service dev="dm-1" ino=4203 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file -#type=AVC msg=audit(YYY.60) : avc: denied { execute_no_trans } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file -#type=AVC msg=audit(YYY.61) : avc: denied { open } for pid=8939 comm=pmie path=/usr/bin/systemctl dev="dm-1" ino=3402 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file -#type=AVC msg=audit(YYY.62): avc: denied { getattr } for pid=13079 comm="which" path="/usr/bin/systemctl" dev="dm-1" ino=1078205 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0 -# @PCP_SYSTEMCTL_EXEC_RULE@ - -#type=AVC msg=audit(YYY.63): avc: denied { connectto } for pid=12589 comm="pmie" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmie_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 -# allow pcp_pmie_t unconfined_t:unix_stream_socket connectto; - -#audit: type=1400 audit(YYY.64): avc: denied { execute_no_trans } for pid=3703 comm=pmie_check path=/usr/bin/pmie dev=dm-0 ino=2506240 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0 -# allow pcp_pmie_t pcp_pmie_exec_t:file execute_no_trans; - #RHBZ1517656 #type=AVC msg=audit(XXX.50): avc: denied { read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 allow pcp_pmie_t proc_net_t:file read; - -#type=AVC msg=audit(...): avc: denied { open } for pid=NNN comm="runlevel" path="/dev/kmsg" dev="devtmpfs" ino=1043 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1 -# allow pcp_pmie_t kmsg_device_t:chr_file open; - -#RHBZ1533080 -#type=AVC msg=audit(XXX.51): avc: denied { signal } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0 -# allow pcp_pmie_t pcp_pmcd_t:process signal; - - -#RHBZ1547066 -#type=AVC msg=audit(XXX.52): avc: denied { getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0 -# allow pcp_pmie_t init_exec_t:file getattr; - #RHBZ1635394 #type=AVC msg=audit(YYY.66): avc: denied { sys_ptrace } for pid=15683 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=cap_userns permissive=0 @PCP_CAPUSERNS_PTRACE_RULE_PMIE@ -#type=AVC msg=audit(XXX.53): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 -# allow pcp_pmie_t user_home_dir_t:dir search; - -#type=AVC msg=audit(XXX.54): avc: denied { read open } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 -# allow pcp_pmie_t user_home_t:file { read open }; - - #RHBZ1623988 #type=AVC msg=audit(YYY.65): avc: denied { signal } for pid=3106 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 allow pcp_pmie_t unconfined_t:process signal; ## type=AVC msg=audit(YYY.86): avc: denied { signal } for pid=23951 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 -allow pcp_pmie_t unconfined_service_t:process signal; +@PCP_PMIE_UNCONFINED_SERVICE_RULE@ #============= pmda-lio ============== -#type=AVC msg=audit(XXX.55): avc: denied { open read search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0 -allow pcp_pmcd_t configfs_t:dir { open read search }; +#type=AVC msg=audit(XXX.55): avc: denied { open read search write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0 +allow pcp_pmcd_t configfs_t:dir { open read search write }; -#type=AVC msg=audit(XXX.56): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0 -allow pcp_pmcd_t configfs_t:file { getattr open read }; +#type=AVC msg=audit(XXX.56): avc: denied { getattr ioctl open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0 +allow pcp_pmcd_t configfs_t:file { getattr ioctl open read }; #type=AVC msg=audit(XXX.57): avc: denied { getattr read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=lnk_file permissive=0 allow pcp_pmcd_t configfs_t:lnk_file { getattr read }; @@ -507,23 +275,6 @@ allow pcp_pmcd_t configfs_t:lnk_file { g #type=AVC msg=audit(XXX.58): avc: denied { execute execute_no_trans getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 allow pcp_pmcd_t ldconfig_exec_t:file { execute execute_no_trans getattr open read }; - -#type=AVC msg=audit(XXX.59): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t modules_conf_t:dir { getattr open read }; - -#type=AVC msg=audit(XXX.60): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0 -# allow pcp_pmcd_t modules_conf_t:file { getattr open read }; - -#type=AVC msg=audit(XXX.61): avc: denied { search } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0 -# allow pcp_pmcd_t modules_object_t:dir search; - -#type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0 -# allow pcp_pmcd_t modules_object_t:file { getattr open read }; - -#type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0 -# allow pcp_pmcd_t saslauthd_t:unix_stream_socket connectto; - - #============= pcp_pmproxy_t ============== #type=AVC msg=audit(YYY.67) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability allow pcp_pmproxy_t self:capability { net_admin dac_override }; @@ -533,9 +284,6 @@ allow pcp_pmproxy_t self:capability { ne #type=AVC msg=audit(YYY.70) : avc: denied { getattr } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file allow pcp_pmproxy_t sysctl_net_t:file { getattr open read }; -#type=AVC msg=audit(YYY.71): avc: denied { search } for pid=14446 comm="pmproxy" name="net" dev="proc" ino=1168 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 -# allow pcp_pmproxy_t sysctl_net_t:dir search; - #type=AVC msg=audit(YYY.72): avc: denied { read } for pid=28833 comm="pmproxy" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file #RHBZ1517656 allow pcp_pmproxy_t proc_net_t:file read; @@ -545,14 +293,11 @@ allow pcp_pmproxy_t proc_net_t:file read #type=AVC msg=audit(YYY.73): avc: denied { name_bind } for pid=13114 comm="pmlogger" src=4332 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 @PCP_UNRESERVED_PORT_RULE_PMMGR@ -#type=AVC msg=audit(YYY.74): avc: denied { connectto } for pid=16715 comm="pmmgr" path="/run/pcp/pmcd.socket" scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 -# allow pcp_pmmgr_t unconfined_t:unix_stream_socket connectto; #type=AVC msg=audit(XXX.64): avc: denied { execute execute_no_trans open read getattr } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 allow pcp_pmmgr_t ldconfig_exec_t:file { execute execute_no_trans open read getattr }; -#type=AVC msg=audit(XXX.65): avc: denied { name_connect } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket permissive=0 -# allow pcp_pmmgr_t zabbix_port_t:tcp_socket name_connect; - +#type=AVC msg=audit(XXX.69): avc: denied { dac_override } for pid=3767 comm="pmmgr" capability=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:system_r:pcp_pmmgr_t:s0 tclass=capability permissive=0 +allow pcp_pmmgr_t self:capability dac_override; #============= pmda-smart ============== @@ -564,23 +309,25 @@ allow pcp_pmmgr_t ldconfig_exec_t:file { #type=AVC msg=audit(YYY.80): avc: denied { map } for pid=8678 comm="smartctl" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1 #type=AVC msg=audit(YYY.81): avc: denied { sys_rawio } for pid=8678 comm="smartctl" capability=17 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1 -allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read }; -@PCP_FSADM_EXEC_MAP_RULE@ +allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read @PCP_FSADM_EXEC_MAP@ }; #============= pmda-nvidia ============== #type=AVC msg=audit(YYY.83): avc: denied { map } for pid=7034 comm="pmdanvidia" path="/usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0 #type=AVC msg=audit(YYY.84): avc: denied { execute } for pid=19828 comm="pmdanvidia" path="//usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0 -@PCP_DEFAULT_T_MAP@ +@PCP_DEFAULT_MAP_RULE@ #type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0 allow pcp_pmcd_t self:capability sys_rawio; +#============= pmda-rpm ============== +#type=AVC msg=audit(YYY.89): avc: denied { map } for pid=4969 comm="pmdarpm" path="/var/lib/rpm/Name" dev="dm-0" ino=519186 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=0 +@PCP_RPM_VAR_LIB_RULE@ + +#============= pmda-libvirt ============== +#type=AVC msg=audit(YYY.90): avc: denied { write } for pid=30922 comm="python3" name="libvirt-sock-ro" dev="tmpfs" ino=25845 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=0 +@PCP_VIRT_VAR_RUN_RULE@ -#============= pmda-redis ============== -#type=AVC msg=audit(YYY.82): avc: denied { name_connect } for pid=15299 comm="pmdaredis" dest=6379 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0 -# allow pcp_pmcd_t redis_port_t:tcp_socket name_connect; - -# allow pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type +# permit pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type @PCP_SELINUX_MACRO_RULE@ files_read_all_files(pcp_pmcd_t) files_read_all_files(pcp_pmie_t) @@ -591,14 +338,17 @@ files_read_all_files(pcp_pmwebd_t) allow pcp_domain file_type:fifo_file read_fifo_file_perms; -# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system +# permit pcp_pmcd_t domain to read shared memory and semaphores of all domain on system allow pcp_domain domain:shm r_sem_perms; allow pcp_domain domain:sem r_shm_perms; allow pcp_domain userdomain:shm r_sem_perms; allow pcp_domain userdomain:sem r_shm_perms; -# allow pcp_domain stream connect to all domains +# permit pcp_domain stream connect to all domains allow pcp_domain domain:unix_stream_socket connectto; -# allow pcp_domain to connect to all ports. +# permit pcp_domain to connect to all ports. corenet_tcp_connect_all_ports(pcp_domain) + +# all pcp_domain read access to all maps +@PCP_MMAP_ALL@ diff -Naurp pcp-4.3.2.orig/src/selinux/README pcp-4.3.2/src/selinux/README --- pcp-4.3.2.orig/src/selinux/README 2019-04-09 10:48:01.000000000 +1000 +++ pcp-4.3.2/src/selinux/README 2020-04-01 15:30:14.404025851 +1100 @@ -55,6 +55,22 @@ rather than the singular form as reported by audit2allow -m. +Also, some of the "require" elements may be optional (not supported +on all versions of selinux), so watch out for things like + + @PCP_TRACEFS@ + +which becomes + + type tracefs_t; + +or + + + +and the corresponding conditional rules, like @PCP_TRACEFS_FS_RULE@, +@PCP_TRACEFS_DIR_RULE@ and @PCP_TRACEFS_FILE_RULE@ + Now go further down src/selinux/pcpupstream.te.in and add the "allow" clause from audit2allow -m, prefixed by the full text of the matching AVC line from audit.log as a comment, so something like: