Update selinux policy for a pcp-5.3.7-6 patched rebuild
Related: rhbz#2072971
This commit is contained in:
parent
f6b8833040
commit
46da9c65c4
6
pcp.spec
6
pcp.spec
@ -1,6 +1,6 @@
|
||||
Name: pcp
|
||||
Version: 5.3.7
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Summary: System-level performance monitoring and performance management
|
||||
License: GPLv2+ and LGPLv2+ and CC-BY
|
||||
URL: https://pcp.io
|
||||
@ -3353,8 +3353,10 @@ PCP_LOG_DIR=%{_logsdir}
|
||||
%files zeroconf -f pcp-zeroconf-files.rpm
|
||||
|
||||
%changelog
|
||||
* Thu May 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-5
|
||||
* Thu May 06 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-6
|
||||
- Additional selinux policy rules for pmdasockets (BZ 1981886)
|
||||
|
||||
* Thu May 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-5
|
||||
- Harden pmdapostfix(1) against missing Postfix (BZ 2059463)
|
||||
- Fix cgroups failure on non-x86_64 platforms (BZ 2081262)
|
||||
|
||||
|
@ -415,4 +415,45 @@ index 1a1b1428c..1462c5ccb 100644
|
||||
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
|
||||
endif
|
||||
|
||||
ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"
|
||||
commit 2ad43633709acd01427b3ec48577cd2502bf6023
|
||||
Author: Jan Kurik <jkurik@redhat.com>
|
||||
Date: Fri May 6 08:04:46 2022 +1000
|
||||
|
||||
selinux: fine-tune netlink_tcpdiag_socket policy for all platforms
|
||||
|
||||
Previous policy set did not apply correctly on ppc64le and aarch64
|
||||
architectures. After some tweaking the following set of permissions
|
||||
was found to work on all the supported architectures and fixes the
|
||||
behavior of the sockets PMDA.
|
||||
|
||||
Related to Red Hat BZ #1981886.
|
||||
|
||||
diff --git a/qa/917.out.in b/qa/917.out.in
|
||||
index 6a4356a12..f50ddc3c7 100644
|
||||
--- a/qa/917.out.in
|
||||
+++ b/qa/917.out.in
|
||||
@@ -156,7 +156,7 @@ Checking policies.
|
||||
allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
|
||||
! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
|
||||
! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
|
||||
-! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
|
||||
+! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { getattr ioctl nlmsg_read nlmsg_write read write };
|
||||
allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write };
|
||||
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
|
||||
allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
|
||||
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
|
||||
index 1462c5ccb..e6c34db3a 100644
|
||||
--- a/src/selinux/GNUlocaldefs
|
||||
+++ b/src/selinux/GNUlocaldefs
|
||||
@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket {
|
||||
endif
|
||||
|
||||
ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true"
|
||||
-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
|
||||
-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
|
||||
+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };"
|
||||
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };"
|
||||
endif
|
||||
|
||||
ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"
|
||||
|
Loading…
Reference in New Issue
Block a user