diff --git a/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch b/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch
new file mode 100644
index 0000000..3b032f2
--- /dev/null
+++ b/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch
@@ -0,0 +1,66 @@
+From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001
+From: Andreas Gerstmayr <agerstmayr@redhat.com>
+Date: Fri, 13 May 2022 13:47:50 +0200
+Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects
+ created by ctypes/libffi (#1593)
+
+Resolves the following AVC:
+
+ type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094
+---
+ qa/1622 | 1 +
+ qa/917.out.in | 1 +
+ src/selinux/pcpupstream.te.in | 7 +++++++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/qa/1622 b/qa/1622
+index be7987e225..03ecc4eb42 100755
+--- a/qa/1622
++++ b/qa/1622
+@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" na
+ type=AVC msg=audit(YYY.25): avc: denied { read } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(YYY.26): avc: denied { open } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
++type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
+ # matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22
+ #type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
+diff --git a/qa/917.out.in b/qa/917.out.in
+index 3bd1dc15e0..8b92c0c5ff 100644
+--- a/qa/917.out.in
++++ b/qa/917.out.in
+@@ -40,6 +40,7 @@ Checking policies.
+ allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
+ ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
+ allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
++ allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read };
+ ! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
+ ! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
+ ! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
+diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
+index 673b178413..2c15c61ba3 100644
+--- a/src/selinux/pcpupstream.te.in
++++ b/src/selinux/pcpupstream.te.in
+@@ -39,6 +39,7 @@ require {
+ type pcp_pmlogger_t;
+ type pcp_pmproxy_t;
+ type pcp_tmp_t;
++ type pcp_tmpfs_t;
+ type pcp_var_lib_t;
+ type ping_exec_t; # pmda.netcheck
+ type postgresql_var_run_t;
+@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
+ #type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+ allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };
+
++# https://bugzilla.redhat.com/show_bug.cgi?id=2050094
++#type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
++# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file)
++# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019
++can_exec(pcp_pmcd_t, pcp_tmpfs_t)
++
+ # pmda.perfevent
+ #type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
+ #type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
diff --git a/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch b/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch
new file mode 100644
index 0000000..879b090
--- /dev/null
+++ b/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch
@@ -0,0 +1,135 @@
+commit 55e8c83ee5920ab30644f54f7a525255b1de4b84
+Author: Nathan Scott <nathans@redhat.com>
+Date: Mon Aug 29 14:25:03 2022 +1000
+
+ docs: describe working sudoers configuration with requiretty
+
+ When /etc/sudoers is configured with 'Defaults requiretty',
+ pmlogctl cannot invoke pmlogger_check in the normal fashion.
+ Symptoms of the problem are the following system log message:
+
+ pmlogctl[PID]: sudo: sorry, you must have a tty to run sudo
+
+ pmiectl and pmie_check are similarly affected. The simplest
+ solution is to add an additional configuration line excluding
+ these commands from requiring a tty; this is the approach now
+ documented.
+
+ Note these PCP commands are not interactive (require no tty)
+ and the unprivileged 'pcp' account uses nologin(8) as a shell
+ anyway, so requiretty offers no advantages here. Note also
+ there's debate about whether requiretty is a useful security
+ measure in general as it can be trivially bypassed; further
+ details: https://bugzilla.redhat.com/show_bug.cgi?id=1020147
+
+ Resolves Red Hat BZ #2093751
+
+diff -Naurp pcp-5.3.7.orig/man/man1/pmie_check.1 pcp-5.3.7/man/man1/pmie_check.1
+--- pcp-5.3.7.orig/man/man1/pmie_check.1 2021-11-04 08:26:15.000000000 +1100
++++ pcp-5.3.7/man/man1/pmie_check.1 2022-08-31 11:17:52.362276530 +1000
+@@ -406,6 +406,42 @@ no
+ entries are needed as the timer mechanism provided by
+ .B systemd
+ is used instead.
++.PP
++The
++.BR pmiectl (1)
++utility may invoke
++.B pmie_check
++using the
++.BR sudo (1)
++command to run it under the $PCP_USER ``pcp'' account.
++If
++.B sudo
++is configured with the non-default
++.I requiretty
++option (see below),
++.B pmie_check
++may fail to run due to not having a tty configured.
++This issue can be resolved by adding a second line
++(expand $PCP_BINADM_DIR according to your platform)
++to the
++.I /etc/sudoers
++configuration file as follows:
++.P
++.ft CW
++.nf
++.in +0.5i
++Defaults requiretty
++Defaults!$PCP_BINADM_DIR/pmie_check !requiretty
++.in
++.fi
++.ft 1
++.P
++Note that the unprivileged PCP account under which these
++commands run uses
++.I /sbin/nologin
++as the shell, so the
++.I requiretty
++option is ineffective here and safe to disable in this way.
+ .SH FILES
+ .TP 5
+ .I $PCP_PMIECONTROL_PATH
+diff -Naurp pcp-5.3.7.orig/man/man1/pmlogger_check.1 pcp-5.3.7/man/man1/pmlogger_check.1
+--- pcp-5.3.7.orig/man/man1/pmlogger_check.1 2022-04-05 09:05:43.000000000 +1000
++++ pcp-5.3.7/man/man1/pmlogger_check.1 2022-08-31 11:20:52.470086724 +1000
+@@ -830,6 +830,42 @@ no
+ entries are needed as the timer mechanism provided by
+ .B systemd
+ is used instead.
++.PP
++The
++.BR pmlogctl (1)
++utility may invoke
++.B pmlogger_check
++using the
++.BR sudo (1)
++command to run it under the $PCP_USER ``pcp'' account.
++If
++.B sudo
++is configured with the non-default
++.I requiretty
++option (see below),
++.B pmlogger_check
++may fail to run due to not having a tty configured.
++This issue can be resolved by adding a second line
++(expand $PCP_BINADM_DIR according to your platform)
++to the
++.I /etc/sudoers
++configuration file as follows:
++.P
++.ft CW
++.nf
++.in +0.5i
++Defaults requiretty
++Defaults!$PCP_BINADM_DIR/pmlogger_check !requiretty
++.in
++.fi
++.ft 1
++.P
++Note that the unprivileged PCP account under which these
++commands run uses
++.I /sbin/nologin
++as the shell, so the
++.I requiretty
++option is ineffective here and safe to disable in this way.
+ .SH FILES
+ .TP 5
+ .I $PCP_PMLOGGERCONTROL_PATH
+@@ -926,7 +962,7 @@ instances for
+ .I hostname
+ have been launched in the interim.
+ Because the cron-driven PCP archive management scripts run under
+-the uid of the user ``pcp'',
++the $PCP_USER account ``pcp'',
+ .BI $PCP_ARCHIVE_DIR/ hostname /SaveLogs
+ typically needs to be owned by the user ``pcp''.
+ .TP
+@@ -994,6 +1030,7 @@ platforms.
+ .BR pmlogmv (1),
+ .BR pmlogrewrite (1),
+ .BR pmsocks (1),
++.BR sudo (1),
+ .BR systemd (1),
+ .BR xz (1)
+ and
diff --git a/SOURCES/redhat-bugzilla-2101574-farm-config.patch b/SOURCES/redhat-bugzilla-2101574-farm-config.patch
new file mode 100644
index 0000000..e6ed27e
--- /dev/null
+++ b/SOURCES/redhat-bugzilla-2101574-farm-config.patch
@@ -0,0 +1,103 @@
+From 73c024c64f7db68fdcd224c27c1711fa6dd1d254 Mon Sep 17 00:00:00 2001
+From: Nathan Scott <nathans@redhat.com>
+Date: Tue, 28 Jun 2022 10:06:06 +1000
+Subject: [PATCH] pmlogger_farm: add default configuration file for farm
+ loggers
+
+Provide a mechanism whereby the farm loggers can be configured.
+There has been reluctance in the past to sharing configuration
+of the local primary logger, so these are now done separately.
+Makes sense to me as the primary pmlogger may need to use more
+frequent sampling, may not want to allow remote pmlc, etc.
+
+Resolves Red Hat BZ #2101574
+---
+ src/pmlogger/GNUmakefile | 1 +
+ src/pmlogger/pmlogger.defaults | 2 ++
+ src/pmlogger/pmlogger_check.sh | 5 +++--
+ src/pmlogger/pmlogger_farm.defaults | 27 +++++++++++++++++++++++++++
+ 4 files changed, 33 insertions(+), 2 deletions(-)
+ create mode 100644 src/pmlogger/pmlogger_farm.defaults
+
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/GNUmakefile pcp-5.3.7/src/pmlogger/GNUmakefile
+--- pcp-5.3.7.orig/src/pmlogger/GNUmakefile 2022-02-02 11:53:05.000000000 +1100
++++ pcp-5.3.7/src/pmlogger/GNUmakefile 2022-08-31 11:23:08.758672970 +1000
+@@ -45,6 +45,7 @@ install:: $(SUBDIRS)
+
+ install:: default
+ $(INSTALL) -m 775 -o $(PCP_USER) -g $(PCP_GROUP) -d $(PCP_VAR_DIR)/config/pmlogger
++ $(INSTALL) -m 644 pmlogger_farm.defaults $(PCP_SYSCONFIG_DIR)/pmlogger_farm
+ $(INSTALL) -m 644 pmlogger.defaults $(PCP_SYSCONFIG_DIR)/pmlogger
+ $(INSTALL) -m 755 -d $(PCP_SHARE_DIR)/zeroconf
+ $(INSTALL) -m 644 pmlogger.zeroconf $(PCP_SHARE_DIR)/zeroconf/pmlogger
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh pcp-5.3.7/src/pmlogger/pmlogger_check.sh
+--- pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh 2022-04-05 09:05:43.000000000 +1000
++++ pcp-5.3.7/src/pmlogger/pmlogger_check.sh 2022-08-31 11:23:08.758672970 +1000
+@@ -1,6 +1,6 @@
+ #! /bin/sh
+ #
+-# Copyright (c) 2013-2016,2018,2020-2021 Red Hat.
++# Copyright (c) 2013-2016,2018,2020-2022 Red Hat.
+ # Copyright (c) 1995-2000,2003 Silicon Graphics, Inc. All Rights Reserved.
+ #
+ # This program is free software; you can redistribute it and/or modify it
+@@ -24,6 +24,7 @@
+ PMLOGGER="$PCP_BINADM_DIR/pmlogger"
+ PMLOGCONF="$PCP_BINADM_DIR/pmlogconf"
+ PMLOGGERENVS="$PCP_SYSCONFIG_DIR/pmlogger"
++PMLOGGERFARMENVS="$PCP_SYSCONFIG_DIR/pmlogger_farm"
+ PMLOGGERZEROCONFENVS="$PCP_SHARE_DIR/zeroconf/pmlogger"
+
+ # error messages should go to stderr, not the GUI notifiers
+@@ -972,8 +973,8 @@ END { print m }'`
+ continue
+ fi
+ else
++ envs=`grep -h ^PMLOGGER "$PMLOGGERFARMENVS" 2>/dev/null`
+ args="-h $host $args"
+- envs=""
+ iam=""
+ fi
+
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults pcp-5.3.7/src/pmlogger/pmlogger.defaults
+--- pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults 2022-02-03 16:11:40.000000000 +1100
++++ pcp-5.3.7/src/pmlogger/pmlogger.defaults 2022-08-31 11:23:08.758672970 +1000
+@@ -1,5 +1,7 @@
+ # Environment variables for the primary pmlogger daemon. See also
+ # the pmlogger control file and pmlogconf(1) for additional details.
++# Also see separate pmlogger_farm configuration for the non-primary
++# logger configuration settings, separate to this file.
+ # Settings defined in this file will override any settings in the
+ # pmlogger zeroconf file (if present).
+
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults
+--- pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults 1970-01-01 10:00:00.000000000 +1000
++++ pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults 2022-08-31 11:23:08.758672970 +1000
+@@ -0,0 +1,27 @@
++# Environment variables for the pmlogger farm daemons. See also
++# pmlogger control file(s) and pmlogconf(1) for additional details.
++# Also see separate pmlogger configuration for the primary logger
++# configuration settings, separate to this file.
++
++# Behaviour regarding listening on external-facing interfaces;
++# unset PMLOGGER_LOCAL to allow connections from remote hosts.
++# A value of 0 permits remote connections, 1 permits local only.
++# PMLOGGER_LOCAL=1
++
++# Max length to which the queue of pending connections may grow
++# A value of 5 is the default.
++# PMLOGGER_MAXPENDING=5
++
++# Default sampling interval pmlogger uses when no more specific
++# interval is requested. A value of 60 seconds is the default.
++# Both pmlogger command line (via control file) and also pmlogger
++# configuration file directives will override this value.
++# PMLOGGER_INTERVAL=60
++
++# The default behaviour, when pmlogger configuration comes from
++# pmlogconf(1), is to regenerate the configuration file and check for
++# changes whenever pmlogger is started from pmlogger_check(1).
++# If the PMDA configuration is stable, this is not necessary, and
++# setting PMLOGGER_CHECK_SKIP_LOGCONF to yes disables the regeneration
++# and checking.
++# PMLOGGER_CHECK_SKIP_LOGCONF=yes
diff --git a/SPECS/pcp.spec b/SPECS/pcp.spec
index 83c905f..50b75e9 100644
--- a/SPECS/pcp.spec
+++ b/SPECS/pcp.spec
@@ -1,6 +1,6 @@
Name: pcp
Version: 5.3.7
-Release: 7%{?dist}
+Release: 9%{?dist}
Summary: System-level performance monitoring and performance management
License: GPLv2+ and LGPLv2+ and CC-BY
URL: https://pcp.io
@@ -12,6 +12,9 @@ Patch1: redhat-bugzilla-1981886-pmdasockets-backporting.patch
Patch2: redhat-bugzilla-2059461-pmie-systemd-fixup.patch
Patch3: redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch
Patch4: redhat-bugzilla-2059463-pmdapostfix-harden.patch
+Patch5: redhat-bugzilla-2050094-bcc-selinux.patch
+Patch6: redhat-bugzilla-2093751-sudoers-docs.patch
+Patch7: redhat-bugzilla-2101574-farm-config.patch
# The additional linker flags break out-of-tree PMDAs.
# https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@@ -2295,6 +2298,9 @@ updated policy package.
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
%build
# the buildsubdir macro gets defined in %setup and is apparently only available in the next step (i.e. the %build step)
@@ -3352,6 +3358,11 @@ PCP_LOG_DIR=%{_logsdir}
%files zeroconf -f pcp-zeroconf-files.rpm
%changelog
+* Mon Sep 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-9
+- Additional selinux policy rules for pmdabcc (BZ 2050094)
+- Describe working sudoers requiretty configuration (BZ 2093751)
+- Separate pmlogger_farm configuration mechanism (BZ 2101574)
+
* Mon May 09 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-7
- Additional selinux policy rules for pmdasockets (BZ 1981886)