diff --git a/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch b/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch new file mode 100644 index 0000000..3b032f2 --- /dev/null +++ b/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch @@ -0,0 +1,66 @@ +From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001 +From: Andreas Gerstmayr +Date: Fri, 13 May 2022 13:47:50 +0200 +Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects + created by ctypes/libffi (#1593) + +Resolves the following AVC: + + type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094 +--- + qa/1622 | 1 + + qa/917.out.in | 1 + + src/selinux/pcpupstream.te.in | 7 +++++++ + 3 files changed, 9 insertions(+) + +diff --git a/qa/1622 b/qa/1622 +index be7987e225..03ecc4eb42 100755 +--- a/qa/1622 ++++ b/qa/1622 +@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" na + type=AVC msg=audit(YYY.25): avc: denied { read } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 + type=AVC msg=audit(YYY.26): avc: denied { open } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 + type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 ++type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0 + type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0 + # matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22 + #type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 +diff --git a/qa/917.out.in b/qa/917.out.in +index 3bd1dc15e0..8b92c0c5ff 100644 +--- a/qa/917.out.in ++++ b/qa/917.out.in +@@ -40,6 +40,7 @@ Checking policies. + allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect }; + ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map }; + allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read }; ++ allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read }; + ! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount }; + ! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write }; + ! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search }; +diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in +index 673b178413..2c15c61ba3 100644 +--- a/src/selinux/pcpupstream.te.in ++++ b/src/selinux/pcpupstream.te.in +@@ -39,6 +39,7 @@ require { + type pcp_pmlogger_t; + type pcp_pmproxy_t; + type pcp_tmp_t; ++ type pcp_tmpfs_t; + type pcp_var_lib_t; + type ping_exec_t; # pmda.netcheck + type postgresql_var_run_t; +@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ }; + #type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 + allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans }; + ++# https://bugzilla.redhat.com/show_bug.cgi?id=2050094 ++#type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0 ++# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file) ++# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019 ++can_exec(pcp_pmcd_t, pcp_tmpfs_t) ++ + # pmda.perfevent + #type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0 + #type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 diff --git a/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch b/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch new file mode 100644 index 0000000..879b090 --- /dev/null +++ b/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch @@ -0,0 +1,135 @@ +commit 55e8c83ee5920ab30644f54f7a525255b1de4b84 +Author: Nathan Scott +Date: Mon Aug 29 14:25:03 2022 +1000 + + docs: describe working sudoers configuration with requiretty + + When /etc/sudoers is configured with 'Defaults requiretty', + pmlogctl cannot invoke pmlogger_check in the normal fashion. + Symptoms of the problem are the following system log message: + + pmlogctl[PID]: sudo: sorry, you must have a tty to run sudo + + pmiectl and pmie_check are similarly affected. The simplest + solution is to add an additional configuration line excluding + these commands from requiring a tty; this is the approach now + documented. + + Note these PCP commands are not interactive (require no tty) + and the unprivileged 'pcp' account uses nologin(8) as a shell + anyway, so requiretty offers no advantages here. Note also + there's debate about whether requiretty is a useful security + measure in general as it can be trivially bypassed; further + details: https://bugzilla.redhat.com/show_bug.cgi?id=1020147 + + Resolves Red Hat BZ #2093751 + +diff -Naurp pcp-5.3.7.orig/man/man1/pmie_check.1 pcp-5.3.7/man/man1/pmie_check.1 +--- pcp-5.3.7.orig/man/man1/pmie_check.1 2021-11-04 08:26:15.000000000 +1100 ++++ pcp-5.3.7/man/man1/pmie_check.1 2022-08-31 11:17:52.362276530 +1000 +@@ -406,6 +406,42 @@ no + entries are needed as the timer mechanism provided by + .B systemd + is used instead. ++.PP ++The ++.BR pmiectl (1) ++utility may invoke ++.B pmie_check ++using the ++.BR sudo (1) ++command to run it under the $PCP_USER ``pcp'' account. ++If ++.B sudo ++is configured with the non-default ++.I requiretty ++option (see below), ++.B pmie_check ++may fail to run due to not having a tty configured. ++This issue can be resolved by adding a second line ++(expand $PCP_BINADM_DIR according to your platform) ++to the ++.I /etc/sudoers ++configuration file as follows: ++.P ++.ft CW ++.nf ++.in +0.5i ++Defaults requiretty ++Defaults!$PCP_BINADM_DIR/pmie_check !requiretty ++.in ++.fi ++.ft 1 ++.P ++Note that the unprivileged PCP account under which these ++commands run uses ++.I /sbin/nologin ++as the shell, so the ++.I requiretty ++option is ineffective here and safe to disable in this way. + .SH FILES + .TP 5 + .I $PCP_PMIECONTROL_PATH +diff -Naurp pcp-5.3.7.orig/man/man1/pmlogger_check.1 pcp-5.3.7/man/man1/pmlogger_check.1 +--- pcp-5.3.7.orig/man/man1/pmlogger_check.1 2022-04-05 09:05:43.000000000 +1000 ++++ pcp-5.3.7/man/man1/pmlogger_check.1 2022-08-31 11:20:52.470086724 +1000 +@@ -830,6 +830,42 @@ no + entries are needed as the timer mechanism provided by + .B systemd + is used instead. ++.PP ++The ++.BR pmlogctl (1) ++utility may invoke ++.B pmlogger_check ++using the ++.BR sudo (1) ++command to run it under the $PCP_USER ``pcp'' account. ++If ++.B sudo ++is configured with the non-default ++.I requiretty ++option (see below), ++.B pmlogger_check ++may fail to run due to not having a tty configured. ++This issue can be resolved by adding a second line ++(expand $PCP_BINADM_DIR according to your platform) ++to the ++.I /etc/sudoers ++configuration file as follows: ++.P ++.ft CW ++.nf ++.in +0.5i ++Defaults requiretty ++Defaults!$PCP_BINADM_DIR/pmlogger_check !requiretty ++.in ++.fi ++.ft 1 ++.P ++Note that the unprivileged PCP account under which these ++commands run uses ++.I /sbin/nologin ++as the shell, so the ++.I requiretty ++option is ineffective here and safe to disable in this way. + .SH FILES + .TP 5 + .I $PCP_PMLOGGERCONTROL_PATH +@@ -926,7 +962,7 @@ instances for + .I hostname + have been launched in the interim. + Because the cron-driven PCP archive management scripts run under +-the uid of the user ``pcp'', ++the $PCP_USER account ``pcp'', + .BI $PCP_ARCHIVE_DIR/ hostname /SaveLogs + typically needs to be owned by the user ``pcp''. + .TP +@@ -994,6 +1030,7 @@ platforms. + .BR pmlogmv (1), + .BR pmlogrewrite (1), + .BR pmsocks (1), ++.BR sudo (1), + .BR systemd (1), + .BR xz (1) + and diff --git a/SOURCES/redhat-bugzilla-2101574-farm-config.patch b/SOURCES/redhat-bugzilla-2101574-farm-config.patch new file mode 100644 index 0000000..e6ed27e --- /dev/null +++ b/SOURCES/redhat-bugzilla-2101574-farm-config.patch @@ -0,0 +1,103 @@ +From 73c024c64f7db68fdcd224c27c1711fa6dd1d254 Mon Sep 17 00:00:00 2001 +From: Nathan Scott +Date: Tue, 28 Jun 2022 10:06:06 +1000 +Subject: [PATCH] pmlogger_farm: add default configuration file for farm + loggers + +Provide a mechanism whereby the farm loggers can be configured. +There has been reluctance in the past to sharing configuration +of the local primary logger, so these are now done separately. +Makes sense to me as the primary pmlogger may need to use more +frequent sampling, may not want to allow remote pmlc, etc. + +Resolves Red Hat BZ #2101574 +--- + src/pmlogger/GNUmakefile | 1 + + src/pmlogger/pmlogger.defaults | 2 ++ + src/pmlogger/pmlogger_check.sh | 5 +++-- + src/pmlogger/pmlogger_farm.defaults | 27 +++++++++++++++++++++++++++ + 4 files changed, 33 insertions(+), 2 deletions(-) + create mode 100644 src/pmlogger/pmlogger_farm.defaults + +diff -Naurp pcp-5.3.7.orig/src/pmlogger/GNUmakefile pcp-5.3.7/src/pmlogger/GNUmakefile +--- pcp-5.3.7.orig/src/pmlogger/GNUmakefile 2022-02-02 11:53:05.000000000 +1100 ++++ pcp-5.3.7/src/pmlogger/GNUmakefile 2022-08-31 11:23:08.758672970 +1000 +@@ -45,6 +45,7 @@ install:: $(SUBDIRS) + + install:: default + $(INSTALL) -m 775 -o $(PCP_USER) -g $(PCP_GROUP) -d $(PCP_VAR_DIR)/config/pmlogger ++ $(INSTALL) -m 644 pmlogger_farm.defaults $(PCP_SYSCONFIG_DIR)/pmlogger_farm + $(INSTALL) -m 644 pmlogger.defaults $(PCP_SYSCONFIG_DIR)/pmlogger + $(INSTALL) -m 755 -d $(PCP_SHARE_DIR)/zeroconf + $(INSTALL) -m 644 pmlogger.zeroconf $(PCP_SHARE_DIR)/zeroconf/pmlogger +diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh pcp-5.3.7/src/pmlogger/pmlogger_check.sh +--- pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh 2022-04-05 09:05:43.000000000 +1000 ++++ pcp-5.3.7/src/pmlogger/pmlogger_check.sh 2022-08-31 11:23:08.758672970 +1000 +@@ -1,6 +1,6 @@ + #! /bin/sh + # +-# Copyright (c) 2013-2016,2018,2020-2021 Red Hat. ++# Copyright (c) 2013-2016,2018,2020-2022 Red Hat. + # Copyright (c) 1995-2000,2003 Silicon Graphics, Inc. All Rights Reserved. + # + # This program is free software; you can redistribute it and/or modify it +@@ -24,6 +24,7 @@ + PMLOGGER="$PCP_BINADM_DIR/pmlogger" + PMLOGCONF="$PCP_BINADM_DIR/pmlogconf" + PMLOGGERENVS="$PCP_SYSCONFIG_DIR/pmlogger" ++PMLOGGERFARMENVS="$PCP_SYSCONFIG_DIR/pmlogger_farm" + PMLOGGERZEROCONFENVS="$PCP_SHARE_DIR/zeroconf/pmlogger" + + # error messages should go to stderr, not the GUI notifiers +@@ -972,8 +973,8 @@ END { print m }'` + continue + fi + else ++ envs=`grep -h ^PMLOGGER "$PMLOGGERFARMENVS" 2>/dev/null` + args="-h $host $args" +- envs="" + iam="" + fi + +diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults pcp-5.3.7/src/pmlogger/pmlogger.defaults +--- pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults 2022-02-03 16:11:40.000000000 +1100 ++++ pcp-5.3.7/src/pmlogger/pmlogger.defaults 2022-08-31 11:23:08.758672970 +1000 +@@ -1,5 +1,7 @@ + # Environment variables for the primary pmlogger daemon. See also + # the pmlogger control file and pmlogconf(1) for additional details. ++# Also see separate pmlogger_farm configuration for the non-primary ++# logger configuration settings, separate to this file. + # Settings defined in this file will override any settings in the + # pmlogger zeroconf file (if present). + +diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults +--- pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults 1970-01-01 10:00:00.000000000 +1000 ++++ pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults 2022-08-31 11:23:08.758672970 +1000 +@@ -0,0 +1,27 @@ ++# Environment variables for the pmlogger farm daemons. See also ++# pmlogger control file(s) and pmlogconf(1) for additional details. ++# Also see separate pmlogger configuration for the primary logger ++# configuration settings, separate to this file. ++ ++# Behaviour regarding listening on external-facing interfaces; ++# unset PMLOGGER_LOCAL to allow connections from remote hosts. ++# A value of 0 permits remote connections, 1 permits local only. ++# PMLOGGER_LOCAL=1 ++ ++# Max length to which the queue of pending connections may grow ++# A value of 5 is the default. ++# PMLOGGER_MAXPENDING=5 ++ ++# Default sampling interval pmlogger uses when no more specific ++# interval is requested. A value of 60 seconds is the default. ++# Both pmlogger command line (via control file) and also pmlogger ++# configuration file directives will override this value. ++# PMLOGGER_INTERVAL=60 ++ ++# The default behaviour, when pmlogger configuration comes from ++# pmlogconf(1), is to regenerate the configuration file and check for ++# changes whenever pmlogger is started from pmlogger_check(1). ++# If the PMDA configuration is stable, this is not necessary, and ++# setting PMLOGGER_CHECK_SKIP_LOGCONF to yes disables the regeneration ++# and checking. ++# PMLOGGER_CHECK_SKIP_LOGCONF=yes diff --git a/SPECS/pcp.spec b/SPECS/pcp.spec index 83c905f..50b75e9 100644 --- a/SPECS/pcp.spec +++ b/SPECS/pcp.spec @@ -1,6 +1,6 @@ Name: pcp Version: 5.3.7 -Release: 7%{?dist} +Release: 9%{?dist} Summary: System-level performance monitoring and performance management License: GPLv2+ and LGPLv2+ and CC-BY URL: https://pcp.io @@ -12,6 +12,9 @@ Patch1: redhat-bugzilla-1981886-pmdasockets-backporting.patch Patch2: redhat-bugzilla-2059461-pmie-systemd-fixup.patch Patch3: redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch Patch4: redhat-bugzilla-2059463-pmdapostfix-harden.patch +Patch5: redhat-bugzilla-2050094-bcc-selinux.patch +Patch6: redhat-bugzilla-2093751-sudoers-docs.patch +Patch7: redhat-bugzilla-2101574-farm-config.patch # The additional linker flags break out-of-tree PMDAs. # https://bugzilla.redhat.com/show_bug.cgi?id=2043092 @@ -2295,6 +2298,9 @@ updated policy package. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build # the buildsubdir macro gets defined in %setup and is apparently only available in the next step (i.e. the %build step) @@ -3352,6 +3358,11 @@ PCP_LOG_DIR=%{_logsdir} %files zeroconf -f pcp-zeroconf-files.rpm %changelog +* Mon Sep 05 2022 Nathan Scott - 5.3.7-9 +- Additional selinux policy rules for pmdabcc (BZ 2050094) +- Describe working sudoers requiretty configuration (BZ 2093751) +- Separate pmlogger_farm configuration mechanism (BZ 2101574) + * Mon May 09 2022 Nathan Scott - 5.3.7-7 - Additional selinux policy rules for pmdasockets (BZ 1981886)