import pcp-5.3.7-15.el8

SOURCES/redhat-bugzilla-1981886-pmdasockets-backporting.patch

@@ -372,88 +372,3 @@ index 183db5afa..009a00cd9 100644
      __int32_t		v6only;
      char		skmem_str[64];
      __int32_t		skmem_rmem_alloc;
-commit 77ba20d5e76ada83283a262dd2083b2fc284b5f8
-Author: Nathan Scott <nathans@redhat.com>
-Date:   Thu May 5 09:33:46 2022 +1000
-
-    selinux: policy updates needed for the pmdasockets metrics
-    
-    Thanks to Jan Kurík and Miloš Malík we have the additional
-    selinux policy requirements - without these we see QE test
-    failures for this agent with pcp-ss(1) on RHEL.
-    
-    Related to Red Hat BZ #1981886.
-
-diff --git a/qa/917.out.in b/qa/917.out.in
-index 3bd1dc15e..6a4356a12 100644
---- a/qa/917.out.in
-+++ b/qa/917.out.in
-@@ -154,9 +154,9 @@ Checking policies.
- # -- end logging_watch_journal_dirs(pcp_domain) expansion
-   allow [pcp_pmcd_t] [cluster_tmpfs_t] : [file] { write };
-   allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
--  allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
--  allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
--  allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt };
-+! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
-+! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
-+! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
-   allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write };
-   allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
-   allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
-diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
-index 1a1b1428c..1462c5ccb 100644
---- a/src/selinux/GNUlocaldefs
-+++ b/src/selinux/GNUlocaldefs
-@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket {
- endif
- 
- ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true"
--PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
--PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
-+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
-+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
- endif
- 
- ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"
-commit a6222992fe5f97f94bdddd928ce9557be1918bfd
-Author: Jan Kurik <jkurik@redhat.com>
-Date:   Fri May 6 08:04:46 2022 +1000
-
-    selinux: fine-tune netlink_tcpdiag_socket policy for all platforms
-    
-    Previous policy set did not apply correctly on ppc64le and aarch64
-    architectures.  After some tweaking the following set of permissions
-    was found to work on all the supported architectures and fixes the
-    behavior of the sockets PMDA.
-    
-    Related to Red Hat BZ #1981886.
-
-diff --git a/qa/917.out.in b/qa/917.out.in
-index 6a4356a12..723193aa2 100644
---- a/qa/917.out.in
-+++ b/qa/917.out.in
-@@ -156,7 +156,7 @@ Checking policies.
-   allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
- ! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
- ! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
--! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
-+! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };
-   allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write };
-   allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
-   allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
-diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
-index 1462c5ccb..9733aead9 100644
---- a/src/selinux/GNUlocaldefs
-+++ b/src/selinux/GNUlocaldefs
-@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket {
- endif
- 
- ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true"
--PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
--PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
-+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };"
-+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };"
- endif
- 
- ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"

SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch

@@ -1,66 +0,0 @@
-From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001
-From: Andreas Gerstmayr <agerstmayr@redhat.com>
-Date: Fri, 13 May 2022 13:47:50 +0200
-Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects
- created by ctypes/libffi (#1593)
-
-Resolves the following AVC:
-
-    type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094
----
- qa/1622                       | 1 +
- qa/917.out.in                 | 1 +
- src/selinux/pcpupstream.te.in | 7 +++++++
- 3 files changed, 9 insertions(+)
-
-diff --git a/qa/1622 b/qa/1622
-index be7987e225..03ecc4eb42 100755
---- a/qa/1622
-+++ b/qa/1622
-@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc:  denied  { execute } for  pid=8656 comm="sh" na
- type=AVC msg=audit(YYY.25): avc:  denied  { read } for  pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
- type=AVC msg=audit(YYY.26): avc:  denied  { open } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
- type=AVC msg=audit(YYY.27): avc:  denied  { execute_no_trans } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
-+type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
- type=AVC msg=audit(YYY.28): avc:  denied  { mount } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
- # matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22
- #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
-diff --git a/qa/917.out.in b/qa/917.out.in
-index 3bd1dc15e0..8b92c0c5ff 100644
---- a/qa/917.out.in
-+++ b/qa/917.out.in
-@@ -40,6 +40,7 @@ Checking policies.
-   allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
- ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
-   allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
-+  allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read };
- ! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
- ! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
- ! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
-diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
-index 673b178413..2c15c61ba3 100644
---- a/src/selinux/pcpupstream.te.in
-+++ b/src/selinux/pcpupstream.te.in
-@@ -39,6 +39,7 @@ require {
- 	type pcp_pmlogger_t;
- 	type pcp_pmproxy_t;
- 	type pcp_tmp_t;
-+	type pcp_tmpfs_t;
- 	type pcp_var_lib_t;
- 	type ping_exec_t; # pmda.netcheck
- 	type postgresql_var_run_t;
-@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
- #type=AVC msg=audit(YYY.27): avc:  denied  { execute_no_trans } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
- allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };
- 
-+# https://bugzilla.redhat.com/show_bug.cgi?id=2050094
-+#type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
-+# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file)
-+# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019
-+can_exec(pcp_pmcd_t, pcp_tmpfs_t)
-+
- # pmda.perfevent
- #type=AVC msg=audit(YYY.28): avc:  denied  { mount } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
- #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0

SOURCES/redhat-bugzilla-2083897-dstat-missed-ticks.patch

@@ -0,0 +1,74 @@
+diff -Naurp pcp-5.3.7.orig/src/pcp/dstat/pcp-dstat.1 pcp-5.3.7/src/pcp/dstat/pcp-dstat.1
+--- pcp-5.3.7.orig/src/pcp/dstat/pcp-dstat.1	2021-05-26 17:43:26.000000000 +1000
++++ pcp-5.3.7/src/pcp/dstat/pcp-dstat.1	2022-10-20 08:57:02.176922290 +1100
+@@ -1,6 +1,6 @@
+ '\"macro stdmacro
+ .\"
+-.\" Copyright (c) 2018-2020 Red Hat.
++.\" Copyright (c) 2018-2022 Red Hat.
+ .\"
+ .\" This program is free software; you can redistribute it and/or modify it
+ .\" under the terms of the GNU General Public License as published by the
+@@ -34,6 +34,7 @@
+ [\f3\-\-integer\f1]
+ [\f3\-\-nocolor\f1]
+ [\f3\-\-noheaders\f1]
++[\f3\-\-nomissed\f1]
+ [\f3\-\-noupdate\f1]
+ [\f3\-\-list\f1]
+ [\f3\-\-pidfile\f1 \f2pid-file\f1]
+@@ -404,6 +405,9 @@ disable colors
+ \fB\-\-noheaders\fR
+ disable repetitive headers
+ .TP
++\fB\-\-nomissed\fR
++disable missed ticks warnings for intermediate samples.
++.TP
+ \fB\-\-noupdate\fR
+ disable intermediate updates when \fIdelay\fR greater than 1.
+ .TP
+diff -Naurp pcp-5.3.7.orig/src/pcp/dstat/pcp-dstat.py pcp-5.3.7/src/pcp/dstat/pcp-dstat.py
+--- pcp-5.3.7.orig/src/pcp/dstat/pcp-dstat.py	2022-04-05 09:05:43.000000000 +1000
++++ pcp-5.3.7/src/pcp/dstat/pcp-dstat.py	2022-10-20 08:57:02.176922290 +1100
+@@ -455,6 +455,7 @@ class DstatTool(object):
+ 
+         # Internal
+         self.missed = 0
++        self.nomissed = False # report missed ticks by default
+         self.runtime = -1
+         self.plugins = []     # list of requested plugin names
+         self.allplugins = []  # list of all known plugin names
+@@ -783,7 +784,8 @@ class DstatTool(object):
+         opts.pmSetLongOption('color', 0, '', '', 'force colors')
+         opts.pmSetLongOption('nocolor', 0, '', '', 'disable colors')
+         opts.pmSetLongOption('noheaders', 0, '', '', 'disable repetitive headers')
+-        opts.pmSetLongOption('noupdate', 0, '', '', 'disable intermediate headers')
++        opts.pmSetLongOption('noupdate', 0, '', '', 'disable intermediate updates')
++        opts.pmSetLongOption('nomissed', 0, '', '', 'disable missed ticks warnings')
+         opts.pmSetLongOption('output', 1, 'o', 'file', 'write CSV output to file')
+         opts.pmSetLongOption('version', 0, 'V', '', '')
+         opts.pmSetLongOption('debug', 1, None, '', '')
+@@ -920,6 +922,8 @@ class DstatTool(object):
+             self.header = False
+         elif opt in ['noupdate']:
+             self.update = False
++        elif opt in ['nomissed']:
++            self.nomissed = True
+         elif opt in ['o', 'output']:
+             self.output = arg
+         elif opt in ['pidfile']:
+@@ -1773,12 +1777,12 @@ class DstatTool(object):
+             outputfile = open(self.output, omode)
+             outputfile.write(oline)
+ 
+-        if self.missed > 0:
++        if self.missed > 0 and self.nomissed is False:
+             line = 'missed ' + str(self.missed + 1) + ' ticks'
+             sys.stdout.write(' ' + THEME['error'] + line + THEME['input'])
+             if self.output and step == self.delay:
+                 outputfile.write(',"' + line + '"')
+-            self.missed = 0
++        self.missed = 0
+         # Finish the line
+         if not op.update and self.novalues is False:
+             sys.stdout.write('\n')

SOURCES/redhat-bugzilla-2135314-pmfind-fix.patch

@@ -0,0 +1,534 @@
+diff -Naurp pcp-5.3.7.orig/qa/1985 pcp-5.3.7/qa/1985
+--- pcp-5.3.7.orig/qa/1985	1970-01-01 10:00:00.000000000 +1000
++++ pcp-5.3.7/qa/1985	2022-10-19 21:32:03.971832371 +1100
+@@ -0,0 +1,38 @@
++#!/bin/sh
++# PCP QA Test No. 1985
++# Exercise a pmfind fix - valgrind-enabled variant.
++#
++# Copyright (c) 2022 Red Hat.  All Rights Reserved.
++#
++
++seq=`basename $0`
++echo "QA output created by $seq"
++
++# get standard environment, filters and checks
++. ./common.product
++. ./common.filter
++. ./common.check
++
++_check_valgrind
++
++_cleanup()
++{
++    cd $here
++    $sudo rm -rf $tmp $tmp.*
++}
++
++status=0	# success is the default!
++$sudo rm -rf $tmp $tmp.* $seq.full
++trap "_cleanup; exit \$status" 0 1 2 3 15
++
++# real QA test starts here
++export seq
++./1986 --valgrind \
++| $PCP_AWK_PROG '
++skip == 1 && $1 == "==="       { skip = 0 }
++/^=== std err ===/             { skip = 1 }
++skip == 0              { print }
++skip == 1              { print >>"'$here/$seq.full'" }'
++
++# success, all done
++exit
+diff -Naurp pcp-5.3.7.orig/qa/1985.out pcp-5.3.7/qa/1985.out
+--- pcp-5.3.7.orig/qa/1985.out	1970-01-01 10:00:00.000000000 +1000
++++ pcp-5.3.7/qa/1985.out	2022-10-19 21:32:03.971832371 +1100
+@@ -0,0 +1,11 @@
++QA output created by 1985
++QA output created by 1986 --valgrind
++=== std out ===
++SOURCE HOSTNAME
++=== filtered valgrind report ===
++Memcheck, a memory error detector
++Command: pmfind -S -m probe=127.0.0.1/32
++LEAK SUMMARY:
++definitely lost: 0 bytes in 0 blocks
++indirectly lost: 0 bytes in 0 blocks
++ERROR SUMMARY: 0 errors from 0 contexts ...
+diff -Naurp pcp-5.3.7.orig/qa/1986 pcp-5.3.7/qa/1986
+--- pcp-5.3.7.orig/qa/1986	1970-01-01 10:00:00.000000000 +1000
++++ pcp-5.3.7/qa/1986	2022-10-19 21:32:03.971832371 +1100
+@@ -0,0 +1,62 @@
++#!/bin/sh
++# PCP QA Test No. 1986
++# Exercise libpcp_web timers pmfind regression fix.
++#
++# Copyright (c) 2022 Red Hat.  All Rights Reserved.
++#
++
++if [ $# -eq 0 ]
++then
++    seq=`basename $0`
++    echo "QA output created by $seq"
++else
++    # use $seq from caller, unless not set
++    [ -n "$seq" ] || seq=`basename $0`
++    echo "QA output created by `basename $0` $*"
++fi
++
++# get standard environment, filters and checks
++. ./common.product
++. ./common.filter
++. ./common.check
++
++do_valgrind=false
++if [ "$1" = "--valgrind" ]
++then
++    _check_valgrind
++    do_valgrind=true
++fi
++
++test -x $PCP_BIN_DIR/pmfind || _notrun No support for pmfind
++
++_cleanup()
++{
++    cd $here
++    $sudo rm -rf $tmp $tmp.*
++}
++
++status=0	# success is the default!
++hostname=`hostname || echo localhost`
++$sudo rm -rf $tmp $tmp.* $seq.full
++trap "_cleanup; exit \$status" 0 1 2 3 15
++
++_filter()
++{
++    sed \
++	-e "s@$tmp@TMP@g" \
++	-e "s/ $hostname/ HOSTNAME/" \
++	-e 's/^[a-f0-9][a-f0-9]* /SOURCE /' \
++    # end
++}
++
++# real QA test starts here
++if $do_valgrind
++then
++    _run_valgrind pmfind -S -m probe=127.0.0.1/32
++else
++    pmfind -S -m probe=127.0.0.1/32
++fi \
++| _filter
++
++# success, all done
++exit
+diff -Naurp pcp-5.3.7.orig/qa/1986.out pcp-5.3.7/qa/1986.out
+--- pcp-5.3.7.orig/qa/1986.out	1970-01-01 10:00:00.000000000 +1000
++++ pcp-5.3.7/qa/1986.out	2022-10-19 21:32:03.971832371 +1100
+@@ -0,0 +1,2 @@
++QA output created by 1986
++SOURCE HOSTNAME
+diff -Naurp pcp-5.3.7.orig/qa/group pcp-5.3.7/qa/group
+--- pcp-5.3.7.orig/qa/group	2022-10-19 20:49:42.638708707 +1100
++++ pcp-5.3.7/qa/group	2022-10-19 21:32:03.972832359 +1100
+@@ -1974,4 +1974,6 @@ x11
+ 1957 libpcp local valgrind
+ 1978 atop local
+ 1984 pmlogconf pmda.redis local
++1985 pmfind local valgrind
++1986 pmfind local
+ 4751 libpcp threads valgrind local pcp helgrind
+diff -Naurp pcp-5.3.7.orig/src/libpcp_web/src/webgroup.c pcp-5.3.7/src/libpcp_web/src/webgroup.c
+--- pcp-5.3.7.orig/src/libpcp_web/src/webgroup.c	2021-11-01 13:02:26.000000000 +1100
++++ pcp-5.3.7/src/libpcp_web/src/webgroup.c	2022-10-19 21:32:03.973832346 +1100
+@@ -287,11 +287,24 @@ webgroup_new_context(pmWebGroupSettings
+ }
+ 
+ static void
++webgroup_timers_stop(struct webgroups *groups)
++{
++    if (groups->active) {
++	uv_timer_stop(&groups->timer);
++	uv_close((uv_handle_t *)&groups->timer, NULL);
++	pmWebTimerRelease(groups->timerid);
++	groups->timerid = -1;
++	groups->active = 0;
++    }
++}
++
++static void
+ webgroup_garbage_collect(struct webgroups *groups)
+ {
+     dictIterator        *iterator;
+     dictEntry           *entry;
+     context_t		*cp;
++    unsigned int	count = 0, drops = 0;
+ 
+     if (pmDebugOptions.http || pmDebugOptions.libweb)
+ 	fprintf(stderr, "%s: started\n", "webgroup_garbage_collect");
+@@ -308,33 +321,40 @@ webgroup_garbage_collect(struct webgroup
+ 		uv_mutex_unlock(&groups->mutex);
+ 		webgroup_drop_context(cp, groups);
+ 		uv_mutex_lock(&groups->mutex);
++		drops++;
+ 	    }
++	    count++;
+ 	}
+ 	dictReleaseIterator(iterator);
++
++	/* if dropping the last remaining context, do cleanup */
++	if (groups->active && drops == count) {
++	    if (pmDebugOptions.http || pmDebugOptions.libweb)
++		fprintf(stderr, "%s: freezing\n", "webgroup_garbage_collect");
++	    webgroup_timers_stop(groups);
++	}
+ 	uv_mutex_unlock(&groups->mutex);
+     }
+ 
+     if (pmDebugOptions.http || pmDebugOptions.libweb)
+-	fprintf(stderr, "%s: finished\n", "webgroup_garbage_collect");
++	fprintf(stderr, "%s: finished [%u drops from %u entries]\n",
++			"webgroup_garbage_collect", drops, count);
+ }
+ 
+ static void
+ refresh_maps_metrics(void *data)
+ {
+     struct webgroups	*groups = (struct webgroups *)data;
++    unsigned int	value;
+ 
+-    if (groups->metrics) {
+-	unsigned int	value;
+-
+-	value = dictSize(contextmap);
+-	mmv_set(groups->map, groups->metrics[CONTEXT_MAP_SIZE], &value);
+-	value = dictSize(namesmap);
+-	mmv_set(groups->map, groups->metrics[NAMES_MAP_SIZE], &value);
+-	value = dictSize(labelsmap);
+-	mmv_set(groups->map, groups->metrics[LABELS_MAP_SIZE], &value);
+-	value = dictSize(instmap);
+-	mmv_set(groups->map, groups->metrics[INST_MAP_SIZE], &value);
+-    }
++    value = contextmap? dictSize(contextmap) : 0;
++    mmv_set(groups->map, groups->metrics[CONTEXT_MAP_SIZE], &value);
++    value = namesmap? dictSize(namesmap) : 0;
++    mmv_set(groups->map, groups->metrics[NAMES_MAP_SIZE], &value);
++    value = labelsmap? dictSize(labelsmap) : 0;
++    mmv_set(groups->map, groups->metrics[LABELS_MAP_SIZE], &value);
++    value = instmap? dictSize(instmap) : 0;
++    mmv_set(groups->map, groups->metrics[INST_MAP_SIZE], &value);
+ }
+ 
+ static void
+@@ -487,6 +507,7 @@ pmWebGroupDestroy(pmWebGroupSettings *se
+ 	if (pmDebugOptions.libweb)
+ 	    fprintf(stderr, "%s: destroy context %p gp=%p\n", "pmWebGroupDestroy", cp, gp);
+ 
++	webgroup_deref_context(cp);
+ 	webgroup_drop_context(cp, gp);
+     }
+     sdsfree(msg);
+@@ -2394,17 +2415,12 @@ pmWebGroupClose(pmWebGroupModule *module
+ 
+     if (groups) {
+ 	/* walk the contexts, stop timers and free resources */
+-	if (groups->active) {
+-	    groups->active = 0;
+-	    uv_timer_stop(&groups->timer);
+-	    pmWebTimerRelease(groups->timerid);
+-	    groups->timerid = -1;
+-	}
+ 	iterator = dictGetIterator(groups->contexts);
+ 	while ((entry = dictNext(iterator)) != NULL)
+ 	    webgroup_drop_context((context_t *)dictGetVal(entry), NULL);
+ 	dictReleaseIterator(iterator);
+ 	dictRelease(groups->contexts);
++	webgroup_timers_stop(groups);
+ 	memset(groups, 0, sizeof(struct webgroups));
+ 	free(groups);
+     }
+diff -Naurp pcp-5.3.7.orig/src/pmfind/source.c pcp-5.3.7/src/pmfind/source.c
+--- pcp-5.3.7.orig/src/pmfind/source.c	2021-02-17 15:27:41.000000000 +1100
++++ pcp-5.3.7/src/pmfind/source.c	2022-10-19 21:32:03.973832346 +1100
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020 Red Hat.
++ * Copyright (c) 2020,2022 Red Hat.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU General Public License as published by the
+@@ -25,6 +25,7 @@ static pmWebGroupSettings settings;
+ typedef struct {
+     sds			source;
+     sds			hostspec;
++    unsigned int	refcount;
+ } context_t;
+ 
+ typedef struct {
+@@ -38,22 +39,34 @@ typedef struct {
+ } sources_t;
+ 
+ static void
++source_release(sources_t *sp, context_t *cp, sds ctx)
++{
++    pmWebGroupDestroy(&settings, ctx, sp);
++    sdsfree(cp->hostspec);
++    sdsfree(cp->source);
++    free(cp);
++}
++
++static void
+ sources_release(void *arg, const struct dictEntry *entry)
+ {
+     sources_t	*sp = (sources_t *)arg;
+     context_t	*cp = (context_t *)dictGetVal(entry);
+     sds		ctx = (sds)entry->key;
+ 
+-    pmWebGroupDestroy(&settings, ctx, sp);
+-    sdsfree(cp->hostspec);
+-    sdsfree(cp->source);
++    if (pmDebugOptions.discovery)
++	fprintf(stderr, "releasing context %s\n", ctx);
++
++    source_release(sp, cp, ctx);
+ }
+ 
+ static void
+-sources_containers(sources_t *sp, sds id, dictEntry *uniq)
++sources_containers(sources_t *sp, context_t *cp, sds id, dictEntry *uniq)
+ {
+     uv_mutex_lock(&sp->mutex);
+-    sp->count++;	/* issuing another PMWEBAPI request */
++    /* issuing another PMWEBAPI request */
++    sp->count++;
++    cp->refcount++;
+     uv_mutex_unlock(&sp->mutex);
+ 
+     pmWebGroupScrape(&settings, id, sp->params, sp);
+@@ -75,6 +88,7 @@ on_source_context(sds id, pmWebSource *s
+ 
+     cp->source = sdsdup(src->source);
+     cp->hostspec = sdsdup(src->hostspec);
++    cp->refcount = 1;
+ 
+     uv_mutex_lock(&sp->mutex);
+     dictAdd(sp->contexts, id, cp);
+@@ -84,7 +98,7 @@ on_source_context(sds id, pmWebSource *s
+     if (entry) {	/* source just discovered */
+ 	printf("%s %s\n", src->source, src->hostspec);
+ 	if (containers)
+-	    sources_containers(sp, id, entry);
++	    sources_containers(sp, cp, id, entry);
+     }
+ }
+ 
+@@ -116,7 +130,9 @@ static void
+ on_source_done(sds context, int status, sds message, void *arg)
+ {
+     sources_t	*sp = (sources_t *)arg;
+-    int		count = 0, release = 0;
++    context_t	*cp;
++    dictEntry	*he;
++    int		remove = 0, count = 0, release = 0;
+ 
+     if (pmDebugOptions.discovery)
+ 	fprintf(stderr, "done on context %s (sts=%d)\n", context, status);
+@@ -127,19 +143,26 @@ on_source_done(sds context, int status,
+     uv_mutex_lock(&sp->mutex);
+     if ((count = --sp->count) <= 0)
+ 	release = 1;
++    if ((he = dictFind(sp->contexts, context)) != NULL &&
++	(cp = (context_t *)dictGetVal(he)) != NULL &&
++	(--cp->refcount <= 0))
++	remove = 1;
+     uv_mutex_unlock(&sp->mutex);
+ 
++    if (remove) {
++	if (pmDebugOptions.discovery)
++	    fprintf(stderr, "remove context %s\n", context);
++	source_release(sp, cp, context);
++	dictDelete(sp->contexts, context);
++    }
++
+     if (release) {
+ 	unsigned long	cursor = 0;
+-
+-	if (pmDebugOptions.discovery)
+-	   fprintf(stderr, "release context %s (sts=%d)\n", context, status);
+ 	do {
+ 	    cursor = dictScan(sp->contexts, cursor, sources_release, NULL, sp);
+ 	} while (cursor);
+-    } else {
+-	if (pmDebugOptions.discovery)
+-	    fprintf(stderr, "not yet releasing (count=%d)\n", count);
++    } else if (pmDebugOptions.discovery) {
++	fprintf(stderr, "not yet releasing (count=%d)\n", count);
+     }
+ }
+ 
+@@ -190,6 +213,7 @@ sources_discovery_start(uv_timer_t *arg)
+     }
+ 
+     dictRelease(dp);
++    pmWebTimerClose();
+ }
+ 
+ /*
+@@ -214,8 +238,8 @@ source_discovery(int count, char **urls)
+     uv_mutex_init(&find.mutex);
+     find.urls = urls;
+     find.count = count;	/* at least one PMWEBAPI request for each url */
+-    find.uniq = dictCreate(&sdsDictCallBacks, NULL);
+-    find.params = dictCreate(&sdsDictCallBacks, NULL);
++    find.uniq = dictCreate(&sdsKeyDictCallBacks, NULL);
++    find.params = dictCreate(&sdsOwnDictCallBacks, NULL);
+     dictAdd(find.params, sdsnew("name"), sdsnew("containers.state.running"));
+     find.contexts = dictCreate(&sdsKeyDictCallBacks, NULL);
+ 
+@@ -230,6 +254,7 @@ source_discovery(int count, char **urls)
+ 
+     pmWebGroupSetup(&settings.module);
+     pmWebGroupSetEventLoop(&settings.module, loop);
++    pmWebTimerSetEventLoop(loop);
+ 
+     /*
+      * Start a one-shot timer to add a start function into the loop
+@@ -244,7 +269,9 @@ source_discovery(int count, char **urls)
+     /*
+      * Finished, release all resources acquired so far
+      */
++    pmWebGroupClose(&settings.module);
+     uv_mutex_destroy(&find.mutex);
++    dictRelease(find.uniq);
+     dictRelease(find.params);
+     dictRelease(find.contexts);
+     return find.status;
+diff -Naurp pcp-5.3.7.orig/src/pmproxy/src/server.c pcp-5.3.7/src/pmproxy/src/server.c
+--- pcp-5.3.7.orig/src/pmproxy/src/server.c	2022-04-05 09:05:43.000000000 +1000
++++ pcp-5.3.7/src/pmproxy/src/server.c	2022-10-19 21:31:43.831093354 +1100
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2018-2019,2021 Red Hat.
++ * Copyright (c) 2018-2019,2021-2022 Red Hat.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as published
+@@ -310,17 +310,21 @@ on_write_callback(uv_callback_t *handle,
+     struct client		*client = (struct client *)request->writer.data;
+     int				sts;
+ 
++    (void)handle;
+     if (pmDebugOptions.af)
+ 	fprintf(stderr, "%s: client=%p\n", "on_write_callback", client);
+ 
+     if (client->stream.secure == 0) {
+ 	sts = uv_write(&request->writer, (uv_stream_t *)&client->stream,
+ 		 &request->buffer[0], request->nbuffers, request->callback);
+-	if (sts != 0)
+-	    fprintf(stderr, "%s: ERROR uv_write failed\n", "on_write_callback");
++	if (sts != 0) {
++	    pmNotifyErr(LOG_ERR, "%s: %s - uv_write failed [%s]: %s\n",
++			pmGetProgname(), "on_write_callback",
++			uv_err_name(sts), uv_strerror(sts));
++	    client_close(client);
++	}
+     } else
+ 	secure_client_write(client, request);
+-    (void)handle;
+     return 0;
+ }
+ 
+@@ -455,14 +459,16 @@ on_client_connection(uv_stream_t *stream
+     uv_handle_t		*handle;
+ 
+     if (status != 0) {
+-	fprintf(stderr, "%s: client connection failed: %s\n",
+-			pmGetProgname(), uv_strerror(status));
++	pmNotifyErr(LOG_ERR, "%s: %s - %s failed [%s]: %s\n",
++		    pmGetProgname(), "on_client_connection", "connection",
++		    uv_err_name(status), uv_strerror(status));
+ 	return;
+     }
+ 
+     if ((client = calloc(1, sizeof(*client))) == NULL) {
+-	fprintf(stderr, "%s: out-of-memory for new client\n",
+-			pmGetProgname());
++	pmNotifyErr(LOG_ERR, "%s: %s - %s failed [%s]: %s\n",
++			pmGetProgname(), "on_client_connection", "calloc",
++			"ENOMEM", strerror(ENOMEM));
+ 	return;
+     }
+     if (pmDebugOptions.context | pmDebugOptions.af)
+@@ -476,16 +482,18 @@ on_client_connection(uv_stream_t *stream
+ 
+     status = uv_tcp_init(proxy->events, &client->stream.u.tcp);
+     if (status != 0) {
+-	fprintf(stderr, "%s: client tcp init failed: %s\n",
+-			pmGetProgname(), uv_strerror(status));
++	pmNotifyErr(LOG_ERR, "%s: %s - %s failed [%s]: %s\n",
++		    pmGetProgname(), "on_client_connection", "uv_tcp_init",
++		    uv_err_name(status), uv_strerror(status));
+ 	client_put(client);
+ 	return;
+     }
+ 
+     status = uv_accept(stream, (uv_stream_t *)&client->stream.u.tcp);
+     if (status != 0) {
+-	fprintf(stderr, "%s: client tcp init failed: %s\n",
+-			pmGetProgname(), uv_strerror(status));
++	pmNotifyErr(LOG_ERR, "%s: %s - %s failed [%s]: %s\n",
++		    pmGetProgname(), "on_client_connection", "uv_accept",
++		    uv_err_name(status), uv_strerror(status));
+ 	client_put(client);
+ 	return;
+     }
+@@ -496,8 +504,9 @@ on_client_connection(uv_stream_t *stream
+     status = uv_read_start((uv_stream_t *)&client->stream.u.tcp,
+ 			    on_buffer_alloc, on_client_read);
+     if (status != 0) {
+-	fprintf(stderr, "%s: client read start failed: %s\n",
+-			pmGetProgname(), uv_strerror(status));
++	pmNotifyErr(LOG_ERR, "%s: %s - %s failed [%s]: %s\n",
++		    pmGetProgname(), "on_client_connection", "uv_read_start",
++		    uv_err_name(status), uv_strerror(status));
+ 	client_close(client);
+     }
+ }
+@@ -530,8 +539,9 @@ open_request_port(struct proxy *proxy, s
+ 
+     sts = uv_listen((uv_stream_t *)&stream->u.tcp, maxpending, on_client_connection);
+     if (sts != 0) {
+-	fprintf(stderr, "%s: socket listen error %s\n",
+-			pmGetProgname(), uv_strerror(sts));
++	pmNotifyErr(LOG_ERR, "%s: %s - uv_listen failed [%s]: %s\n",
++			pmGetProgname(), "open_request_port",
++			uv_err_name(sts), uv_strerror(sts));
+ 	uv_close(handle, NULL);
+ 	return -ENOTCONN;
+     }
+@@ -554,15 +564,23 @@ open_request_local(struct proxy *proxy,
+     uv_pipe_init(proxy->events, &stream->u.local, 0);
+     handle = (uv_handle_t *)&stream->u.local;
+     handle->data = (void *)proxy;
+-    uv_pipe_bind(&stream->u.local, name);
++    sts = uv_pipe_bind(&stream->u.local, name);
++    if (sts != 0) {
++	pmNotifyErr(LOG_ERR, "%s: %s - uv_pipe_bind %s failed [%s]: %s\n",
++			pmGetProgname(), "open_request_local", name,
++			uv_err_name(sts), uv_strerror(sts));
++	uv_close(handle, NULL);
++	return -ENOTCONN;
++    }
+ #ifdef HAVE_UV_PIPE_CHMOD
+     uv_pipe_chmod(&stream->u.local, UV_READABLE | UV_WRITABLE);
+ #endif
+ 
+     sts = uv_listen((uv_stream_t *)&stream->u.local, maxpending, on_client_connection);
+     if (sts != 0) {
+-	fprintf(stderr, "%s: local listen error %s\n",
+-			pmGetProgname(), uv_strerror(sts));
++	pmNotifyErr(LOG_ERR, "%s: %s - %s failed [%s]: %s\n",
++		    pmGetProgname(), "open_request_local", "uv_listen",
++		    uv_err_name(sts), uv_strerror(sts));
+ 	uv_close(handle, NULL);
+         return -ENOTCONN;
+     }

SOURCES/redhat-build-jsonsl.patch

@@ -0,0 +1,50 @@
+diff --git a/src/pmdas/podman/.gitignore b/src/pmdas/podman/.gitignore
+index a4f35e0f43..aea2c4052e 100644
+--- a/src/pmdas/podman/.gitignore
++++ b/src/pmdas/podman/.gitignore
+@@ -2,8 +2,6 @@ deps/
+ domain.h
+ pmdapodman
+ pmda_podman.so
+-jsonsl.c
+-jsonsl.h
+ help.dir
+ help.pag
+ exports
+diff --git a/src/pmdas/podman/GNUmakefile b/src/pmdas/podman/GNUmakefile
+index d6e58cfca5..1117a7a4e4 100644
+--- a/src/pmdas/podman/GNUmakefile
++++ b/src/pmdas/podman/GNUmakefile
+@@ -83,6 +83,7 @@ domain.h: ../../pmns/stdpmid
+ $(OBJECTS): domain.h
+ pmda.o: $(VERSION_SCRIPT)
+ pmda.o:	$(TOPDIR)/src/include/pcp/libpcp.h
++podman.o: $(JSONSL_HFILES)
+ 
+ check:: $(CFILES) $(HFILES)
+ 	$(CLINT) $^
+diff --git a/src/pmdas/root/.gitignore b/src/pmdas/root/.gitignore
+index 21f507f0dd..b78b1fd28a 100644
+--- a/src/pmdas/root/.gitignore
++++ b/src/pmdas/root/.gitignore
+@@ -1,8 +1,6 @@
+ deps/
+ domain.h
+ pmdaroot
+-jsonsl.c
+-jsonsl.h
+ help.dir
+ help.pag
+ pmns
+diff --git a/src/pmdas/root/GNUmakefile b/src/pmdas/root/GNUmakefile
+index ed01a18fb8..b02d4ea834 100644
+--- a/src/pmdas/root/GNUmakefile
++++ b/src/pmdas/root/GNUmakefile
+@@ -83,6 +83,7 @@ pmns :
+ 	$(LN_S) -f root_root pmns
+ 
+ lxc.o root.o:	$(TOPDIR)/src/include/pcp/libpcp.h
++podman.o:	$(JSONSL_HFILES)
+ 
+ check:: $(CFILES) $(HFILES)
+ 	$(CLINT) $^

SPECS/pcp.spec

@@ -1,6 +1,6 @@
 Name:    pcp
 Version: 5.3.7
-Release: 9%{?dist}
+Release: 15%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPLv2+ and LGPLv2+ and CC-BY
 URL:     https://pcp.io
@@ -12,9 +12,12 @@ Patch1:  redhat-bugzilla-1981886-pmdasockets-backporting.patch
 Patch2:  redhat-bugzilla-2059461-pmie-systemd-fixup.patch
 Patch3:  redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch
 Patch4:  redhat-bugzilla-2059463-pmdapostfix-harden.patch
-Patch5:  redhat-bugzilla-2050094-bcc-selinux.patch
-Patch6:  redhat-bugzilla-2093751-sudoers-docs.patch
-Patch7:  redhat-bugzilla-2101574-farm-config.patch
+Patch5:  redhat-bugzilla-2083897-dstat-missed-ticks.patch
+Patch6:  redhat-bugzilla-2111742-selinux-policy.patch
+Patch7:  redhat-bugzilla-2093751-sudoers-docs.patch
+Patch8:  redhat-bugzilla-2101574-farm-config.patch
+Patch9:  redhat-bugzilla-2135314-pmfind-fix.patch
+Patch10: redhat-build-jsonsl.patch
 
 # The additional linker flags break out-of-tree PMDAs.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@@ -297,36 +300,27 @@ BuildRequires: qt5-qtsvg-devel
 
 Requires: bash xz gawk sed grep findutils which %{_hostname_executable}
 Requires: pcp-libs = %{version}-%{release}
-%if !%{disable_selinux}
 
+%if !%{disable_selinux}
 # rpm boolean dependencies are supported since RHEL 8
 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 8
-# This ensures that the pcp-selinux package and all it's dependencies are not pulled
-# into containers and other systems that do not use SELinux
+# This ensures that the pcp-selinux package and all its dependencies are
+# not pulled into containers and other systems that do not use SELinux
 Requires: (pcp-selinux = %{version}-%{release} if selinux-policy-targeted)
 %else
 Requires: pcp-selinux = %{version}-%{release}
 %endif
-
 %endif
 
 %global _confdir        %{_sysconfdir}/pcp
 %global _logsdir        %{_localstatedir}/log/pcp
 %global _pmnsdir        %{_localstatedir}/lib/pcp/pmns
-%global _pmnsexecdir    %{_libexecdir}/pcp/pmns
-%global _tempsdir       %{_localstatedir}/lib/pcp/tmp
 %global _pmdasdir       %{_localstatedir}/lib/pcp/pmdas
 %global _pmdasexecdir   %{_libexecdir}/pcp/pmdas
 %global _testsdir       %{_localstatedir}/lib/pcp/testsuite
-%global _selinuxdir     %{_localstatedir}/lib/pcp/selinux
-%global _selinuxexecdir %{_libexecdir}/pcp/selinux
-%global _logconfdir     %{_localstatedir}/lib/pcp/config/pmlogconf
+%global _ieconfigdir    %{_localstatedir}/lib/pcp/config/pmie
 %global _ieconfdir      %{_localstatedir}/lib/pcp/config/pmieconf
-%global _tapsetdir      %{_datadir}/systemtap/tapset
-%global _bashcompdir    %{_datadir}/bash-completion/completions
-%global _pixmapdir      %{_datadir}/pcp-gui/pixmaps
-%global _hicolordir     %{_datadir}/icons/hicolor
-%global _booksdir       %{_datadir}/doc/pcp-doc
+%global _selinuxdir     %{_datadir}/selinux/packages/targeted
 
 %if 0%{?fedora} >= 20 || 0%{?rhel} >= 8
 %global _with_doc --with-docdir=%{_docdir}/%{name}
@@ -447,14 +441,13 @@ else
 fi
 }
 
-%global selinux_handle_policy() %{expand:
-if [ %1 -ge 1 ]
+%global run_pmieconf() %{expand:
+if [ -w "%1" ]
 then
-    %{_libexecdir}/pcp/bin/selinux-setup %{_selinuxdir} install %2
-elif [ %1 -eq 0 ]
-then
-    %{_libexecdir}/pcp/bin/selinux-setup %{_selinuxdir} remove %2
-fi
+    pmieconf -c enable "%2"
+else
+    echo "WARNING: Cannot write to %1, skipping pmieconf enable of %2." >&2
+fi  
 }
 
 %description
@@ -2301,6 +2294,9 @@ updated policy package.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 
 %build
 # the buildsubdir macro gets defined in %setup and is apparently only available in the next step (i.e. the %build step)
@@ -2448,7 +2444,7 @@ total_manifest | keep 'tutorials|/html/|pcp-doc|man.*\.[1-9].*' | cull 'out' >pc
 total_manifest | keep 'testsuite|etc/systemd/system|libpcp_fault|pcp/fault.h' >pcp-testsuite-files
 
 basic_manifest | keep "$PCP_GUI|pcp-gui|applications|pixmaps|hicolor" | cull 'pmtime.h' >pcp-gui-files
-basic_manifest | keep 'selinux' | cull 'tmp|GNUselinuxdefs' >pcp-selinux-files
+basic_manifest | keep 'selinux' | cull 'tmp|testsuite' >pcp-selinux-files
 basic_manifest | keep 'zeroconf|daily[-_]report|/sa$' >pcp-zeroconf-files
 basic_manifest | grep -E -e 'pmiostat|pmrep|dstat|htop|pcp2csv' \
    -e 'pcp-atop|pcp-dmcache|pcp-dstat|pcp-free|pcp-htop' \
@@ -2692,6 +2688,9 @@ done
 %endif
 
 %pre testsuite
+%if !%{disable_selinux}
+%selinux_relabel_pre -s targeted
+%endif
 test -d %{_testsdir} || mkdir -p -m 755 %{_testsdir}
 getent group pcpqa >/dev/null || groupadd -r pcpqa
 getent passwd pcpqa >/dev/null || \
@@ -2700,6 +2699,11 @@ chown -R pcpqa:pcpqa %{_testsdir} 2>/dev/null
 exit 0
 
 %post testsuite
+%if !%{disable_selinux}
+semodule -r pcpqa >/dev/null 2>&1 || true
+%selinux_modules_install -s targeted %{_selinuxdir}/pcp-testsuite.pp.bz2
+%selinux_relabel_post -s targeted
+%endif
 chown -R pcpqa:pcpqa %{_testsdir} 2>/dev/null
 %if 0%{?rhel}
 %if !%{disable_systemd}
@@ -2714,6 +2718,14 @@ chown -R pcpqa:pcpqa %{_testsdir} 2>/dev/null
 %endif
 exit 0
 
+%if !%{disable_selinux}
+%postun testsuite
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s targeted pcp-testsuite
+    %selinux_relabel_post -s targeted
+fi
+%endif
+
 %pre
 getent group pcp >/dev/null || groupadd -r pcp
 getent passwd pcp >/dev/null || \
@@ -3000,6 +3012,7 @@ fi
 PCP_PMDAS_DIR=%{_pmdasdir}
 PCP_SYSCONFIG_DIR=%{_sysconfdir}/sysconfig
 PCP_PMCDCONF_PATH=%{_confdir}/pmcd/pmcd.conf
+PCP_PMIECONFIG_DIR=%{_ieconfigdir}
 # auto-install important PMDAs for RH Support (if not present already)
 for PMDA in dm nfsclient openmetrics ; do
     if ! grep -q "$PMDA/pmda$PMDA" "$PCP_PMCDCONF_PATH"
@@ -3008,7 +3021,7 @@ for PMDA in dm nfsclient openmetrics ; do
     fi
 done
 # auto-enable these usually optional pmie rules
-pmieconf -c enable dmthin
+%{run_pmieconf "$PCP_PMIECONFIG_DIR" dmthin}
 %if 0%{?rhel}
 %if !%{disable_systemd}
     systemctl restart pmcd pmlogger pmie >/dev/null 2>&1
@@ -3023,17 +3036,6 @@ pmieconf -c enable dmthin
 %endif
 %endif
 
-%if !%{disable_selinux}
-%post selinux
-%{selinux_handle_policy "$1" "pcpupstream"}
-
-%triggerin selinux -- docker-selinux
-%{selinux_handle_policy "$1" "pcpupstream-docker"}
-
-%triggerin selinux -- container-selinux
-%{selinux_handle_policy "$1" "pcpupstream-container"}
-%endif
-
 %post
 PCP_PMNS_DIR=%{_pmnsdir}
 PCP_LOG_DIR=%{_logsdir}
@@ -3072,14 +3074,21 @@ PCP_LOG_DIR=%{_logsdir}
 %endif
 
 %if !%{disable_selinux}
-%preun selinux
-%{selinux_handle_policy "$1" "pcpupstream"}
+%pre selinux
+%selinux_relabel_pre -s targeted
 
-%triggerun selinux -- docker-selinux
-%{selinux_handle_policy "$1" "pcpupstream-docker"}
+%post selinux
+semodule -r pcpupstream-container >/dev/null 2>&1 || true
+semodule -r pcpupstream-docker >/dev/null 2>&1 || true
+semodule -r pcpupstream >/dev/null 2>&1 || true
+%selinux_modules_install -s targeted %{_selinuxdir}/pcp.pp.bz2
+%selinux_relabel_post -s targeted
 
-%triggerun selinux -- container-selinux
-%{selinux_handle_policy "$1" "pcpupstream-container"}
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s targeted pcp
+    %selinux_relabel_post -s targeted
+fi
 %endif
 
 %files -f pcp-files.rpm
@@ -3098,6 +3107,7 @@ PCP_LOG_DIR=%{_logsdir}
 
 %if !%{disable_selinux}
 %files selinux -f pcp-selinux-files.rpm
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/targeted/active/modules/200/pcp
 %endif
 
 %if !%{disable_qt}
@@ -3358,6 +3368,11 @@ PCP_LOG_DIR=%{_logsdir}
 %files zeroconf -f pcp-zeroconf-files.rpm
 
 %changelog
+* Thu Oct 27 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-15
+- Backport independent selinux policy rework (BZ 2111742)
+- Fix invalid memory access in pmfind utility (BZ 2135314)
+- Allow pcp-dstat(1) missed ticks suppression (BZ 2083897)
+
 * Mon Sep 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-9
 - Additional selinux policy rules for pmdabcc (BZ 2050094)
 - Describe working sudoers requiretty configuration (BZ 2093751)