Update selinux policy for a pcp-5.3.7-6 patched rebuild

Related: rhbz#2072971
This commit is contained in:
Nathan Scott 2022-05-06 08:24:38 +10:00
parent f6b8833040
commit 46da9c65c4
2 changed files with 45 additions and 2 deletions

View File

@ -1,6 +1,6 @@
Name: pcp
Version: 5.3.7
Release: 5%{?dist}
Release: 6%{?dist}
Summary: System-level performance monitoring and performance management
License: GPLv2+ and LGPLv2+ and CC-BY
URL: https://pcp.io
@ -3353,8 +3353,10 @@ PCP_LOG_DIR=%{_logsdir}
%files zeroconf -f pcp-zeroconf-files.rpm
%changelog
* Thu May 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-5
* Thu May 06 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-6
- Additional selinux policy rules for pmdasockets (BZ 1981886)
* Thu May 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-5
- Harden pmdapostfix(1) against missing Postfix (BZ 2059463)
- Fix cgroups failure on non-x86_64 platforms (BZ 2081262)

View File

@ -415,4 +415,45 @@ index 1a1b1428c..1462c5ccb 100644
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
endif
ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"
commit 2ad43633709acd01427b3ec48577cd2502bf6023
Author: Jan Kurik <jkurik@redhat.com>
Date: Fri May 6 08:04:46 2022 +1000
selinux: fine-tune netlink_tcpdiag_socket policy for all platforms
Previous policy set did not apply correctly on ppc64le and aarch64
architectures. After some tweaking the following set of permissions
was found to work on all the supported architectures and fixes the
behavior of the sockets PMDA.
Related to Red Hat BZ #1981886.
diff --git a/qa/917.out.in b/qa/917.out.in
index 6a4356a12..f50ddc3c7 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -156,7 +156,7 @@ Checking policies.
allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
-! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
+! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { getattr ioctl nlmsg_read nlmsg_write read write };
allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write };
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
index 1462c5ccb..e6c34db3a 100644
--- a/src/selinux/GNUlocaldefs
+++ b/src/selinux/GNUlocaldefs
@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket {
endif
ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true"
-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };"
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };"
endif
ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"