diff --git a/SOURCES/redhat-bugzilla-1926756.patch b/SOURCES/redhat-bugzilla-1926756.patch
new file mode 100644
index 0000000..779923d
--- /dev/null
+++ b/SOURCES/redhat-bugzilla-1926756.patch
@@ -0,0 +1,205 @@
+commit d7679bd7cbb94692250a450bccf9f01cb982467f
+Author: Mark Goodwin <mgoodwin@redhat.com>
+Date: Fri Feb 12 10:12:59 2021 +1100
+
+ selinux, qa: allow pmcd to use netlink_tcpdiag_socket for sockets PMDA
+
+ Add SELinux rules allowing pmcd to create, setopt, bind, getattr and
+ nlmsg_read to netlink tcpdiag sockets. Needed by pmdasockets.
+
+ Update qa/1622 and 917.
+
+ Resolves: RHBZ#1926756
+
+diff --git a/qa/1622 b/qa/1622
+index 83f260d6d..f62b5f89a 100755
+--- a/qa/1622
++++ b/qa/1622
+@@ -216,6 +216,11 @@ type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY co
+ type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0
+ type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0
+ type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
++type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+ EOF
+
+ echo "Silence is golden ... all AVC's are allowed by active policy"
+diff --git a/qa/917.out.in b/qa/917.out.in
+index 69c3b2d12..ddec57f9c 100644
+--- a/qa/917.out.in
++++ b/qa/917.out.in
+@@ -125,6 +125,7 @@ Checking policies.
+ allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
+ allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
+ allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
++ allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt };
+ allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
+ allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
+ allow [pcp_pmie_t] [etc_t] : [dir] { open read search getattr lock ioctl };
+diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
+index 30b67d907..cbfa34c14 100644
+--- a/src/selinux/GNUlocaldefs
++++ b/src/selinux/GNUlocaldefs
+@@ -118,5 +118,7 @@ endif
+
+ ifeq "$(PCP_SELINUX_NETLINK_GENERIC_SOCKET_CLASS)" "true"
+ PCP_NETLINK_GENERIC_SOCKET_CLASS="class netlink_generic_socket { bind create getattr setopt write read };"
++PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
+ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { bind create getattr setopt write read };"
++PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
+ endif
+diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
+index e16859d7e..d04644fcb 100644
+--- a/src/selinux/GNUmakefile
++++ b/src/selinux/GNUmakefile
+@@ -80,6 +80,8 @@ $(IAM).te: $(IAM).te.in
+ -e 's+@PCP_ICMP_SOCKET_RULE@+'$(PCP_ICMP_SOCKET_RULE)'+' \
+ -e 's+@PCP_NETLINK_GENERIC_SOCKET_CLASS@+'$(PCP_NETLINK_GENERIC_SOCKET_CLASS)'+' \
+ -e 's+@PCP_NETLINK_GENERIC_SOCKET_RULE@+'$(PCP_NETLINK_GENERIC_SOCKET_RULE)'+' \
++ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_CLASS@+'$(PCP_NETLINK_TCPDIAG_SOCKET_CLASS)'+' \
++ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@+'$(PCP_NETLINK_TCPDIAG_SOCKET_RULE)'+' \
+ -e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \
+ -e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \
+
+diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
+index 36a043be1..d935aee36 100644
+--- a/src/selinux/pcpupstream.te.in
++++ b/src/selinux/pcpupstream.te.in
+@@ -90,6 +90,7 @@ require {
+ @PCP_BPF_CLASS@
+ class system { module_request };
+ @PCP_NETLINK_GENERIC_SOCKET_CLASS@
++ @PCP_NETLINK_TCPDIAG_SOCKET_CLASS@
+ }
+
+ #============= init_t ==============
+@@ -423,3 +424,11 @@ allow pcp_pmcd_t drbd_exec_t:file { execute execute_no_trans };
+ # pmda-hacluster requirements for checking sbd
+ # type=AVC msg=audit(XXX.81): avc: denied { execute_no_trans } for pid=421434 comm="sh" path="/usr/sbin/sbd" dev="vda1" ino=1050019 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sbd_exec_t:s0 tclass=file permissive=1
+ @PCP_SBD_EXEC_RULE@
++
++#=========== pmda-sockets ============
++# type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++# type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++# type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++# type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++# type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
++@PCP_NETLINK_TCPDIAG_SOCKET_RULE@
+
+commit a49772607d80b25b2ae4b8764be709bb27d7e16f
+Author: Mark Goodwin <mgoodwin@redhat.com>
+Date: Fri Feb 12 10:09:23 2021 +1100
+
+ pmdasockets: minor changes to Install and Remove, add -U username
+
+ Specify pmns_name in Install and Remove scripts since the pmda name
+ differs to the namespace. Add -U username for optional use when run
+ as a daemon.
+
+diff --git a/src/pmdas/linux_sockets/GNUmakefile b/src/pmdas/linux_sockets/GNUmakefile
+index 34897f2e9..a32987ef7 100644
+--- a/src/pmdas/linux_sockets/GNUmakefile
++++ b/src/pmdas/linux_sockets/GNUmakefile
+@@ -31,7 +31,7 @@ HFILES = indom.h cluster.h ss_stats.h
+ LLDLIBS = $(PCP_PMDALIB)
+ LCFLAGS = $(INVISIBILITY)
+
+-SCRIPTS = Install Remove
++SCRIPTS = Install Remove Upgrade
+ VERSION_SCRIPT = exports
+ LDIRT = domain.h $(VERSION_SCRIPT) $(IAM).log
+
+diff --git a/src/pmdas/linux_sockets/Install b/src/pmdas/linux_sockets/Install
+index 4bc934c96..28d7c7f9e 100755
+--- a/src/pmdas/linux_sockets/Install
++++ b/src/pmdas/linux_sockets/Install
+@@ -1,4 +1,4 @@
+-#! /bin/sh
++#!/usr/bin/sh
+ #
+ # Copyright (c) 2021 Red Hat.
+ #
+@@ -25,6 +25,8 @@ dso_opt=true
+ pipe_opt=false
+ daemon_opt=false
+
++pmns_name=network.persocket # differs to PMDA name
++
+ which ss >/dev/null 2>&1
+ if [ $? -ne 0 ]
+ then
+diff --git a/src/pmdas/linux_sockets/Remove b/src/pmdas/linux_sockets/Remove
+index 26edc85aa..3fee6a0e6 100755
+--- a/src/pmdas/linux_sockets/Remove
++++ b/src/pmdas/linux_sockets/Remove
+@@ -1,4 +1,4 @@
+-#! /bin/sh
++#!/usr/bin/sh
+ #
+ # Copyright (c) 2021 Red Hat.
+ #
+@@ -19,6 +19,7 @@
+ . $PCP_SHARE_DIR/lib/pmdaproc.sh
+
+ iam=sockets
++pmns_name=network.persocket # differs to PMDA name
+
+ pmdaSetup
+ pmdaRemove
+diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c
+index 9bca5d9d0..fab4be290 100644
+--- a/src/pmdas/linux_sockets/pmda.c
++++ b/src/pmdas/linux_sockets/pmda.c
+@@ -23,6 +23,7 @@
+ #include "ss_stats.h"
+
+ static int _isDSO = 1; /* for local contexts */
++static char *username;
+
+ /* metrics supported in this PMDA - see metrictab.c */
+ extern pmdaMetric metrictable[];
+@@ -200,6 +201,8 @@ sockets_init(pmdaInterface *dp)
+ pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
+ pmdaDSO(dp, PMDA_INTERFACE_7, "SOCKETS DSO", helppath);
+ }
++ else
++ pmSetProcessIdentity(username);
+
+ if (dp->status != 0)
+ return;
+@@ -227,12 +230,13 @@ static pmLongOptions longopts[] = {
+ PMOPT_DEBUG,
+ PMDAOPT_DOMAIN,
+ PMDAOPT_LOGFILE,
++ PMDAOPT_USERNAME,
+ PMOPT_HELP,
+ PMDA_OPTIONS_END
+ };
+
+ static pmdaOptions opts = {
+- .short_options = "D:d:l:?",
++ .short_options = "D:d:l:U:?",
+ .long_options = longopts,
+ };
+
+@@ -248,6 +252,7 @@ main(int argc, char **argv)
+
+ _isDSO = 0;
+ pmSetProgname(argv[0]);
++ pmGetUsername(&username);
+ pmsprintf(helppath, sizeof(helppath), "%s%c" "sockets" "%c" "help",
+ pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
+ pmdaDaemon(&dispatch, PMDA_INTERFACE_7, pmGetProgname(), SOCKETS, "sockets.log", helppath);
+@@ -257,6 +262,8 @@ main(int argc, char **argv)
+ pmdaUsageMessage(&opts);
+ exit(1);
+ }
++ if (opts.username)
++ username = opts.username;
+
+ pmdaOpenLog(&dispatch);
+ sockets_init(&dispatch);
+
diff --git a/SPECS/pcp.spec b/SPECS/pcp.spec
index 654de60..732044a 100644
--- a/SPECS/pcp.spec
+++ b/SPECS/pcp.spec
@@ -1,6 +1,6 @@
Name: pcp
Version: 5.2.5
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: System-level performance monitoring and performance management
License: GPLv2+ and LGPLv2+ and CC-BY
URL: https://pcp.io
@@ -8,6 +8,8 @@ URL: https://pcp.io
%global bintray https://bintray.com/artifact/download
Source0: %{bintray}/pcp/source/pcp-%{version}.src.tar.gz
+Patch000: redhat-bugzilla-1926756.patch
+
%if 0%{?fedora} >= 26 || 0%{?rhel} > 7
%global __python2 python2
%else
@@ -2244,6 +2246,7 @@ updated policy package.
%prep
%setup -q
+%patch000 -p1
%build
# fix up build version
@@ -3485,6 +3488,10 @@ chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null
%endif
%changelog
+* Fri Feb 12 2021 Mark Goodwin <mgoodwin@redhat.com> - 5.2.5-3
+- specify pmns_name in sockets PMDA Install and Remove scripts
+- add selinux rules for pmcd to use netlink tcpdiag sockets (BZ 1926756)
+
* Mon Feb 08 2021 Andreas Gerstmayr <agerstmayr@redhat.com> - 5.2.5-2
- fixed typo in specfile (pcp-testsuite requires pcp-pmda-hacluster
and pcp-pmda-sockets instead of pcp-pmdas-hacluster etc.)