Update selinux policy for a pcp-5.3.7-6 patched rebuild

Related: rhbz#2072971

pcp.spec

@@ -1,6 +1,6 @@
 Name:    pcp
 Version: 5.3.7
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPLv2+ and LGPLv2+ and CC-BY
 URL:     https://pcp.io
@@ -3353,8 +3353,10 @@ PCP_LOG_DIR=%{_logsdir}
 %files zeroconf -f pcp-zeroconf-files.rpm
 
 %changelog
-* Thu May 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-5
+* Thu May 06 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-6
 - Additional selinux policy rules for pmdasockets (BZ 1981886)
+
+* Thu May 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-5
 - Harden pmdapostfix(1) against missing Postfix (BZ 2059463)
 - Fix cgroups failure on non-x86_64 platforms (BZ 2081262)
 

redhat-bugzilla-1981886-pmdasockets-backporting.patch

@@ -415,4 +415,45 @@ index 1a1b1428c..1462c5ccb 100644
 +PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
  endif
  
+ ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"
+commit 2ad43633709acd01427b3ec48577cd2502bf6023
+Author: Jan Kurik <jkurik@redhat.com>
+Date:   Fri May 6 08:04:46 2022 +1000
+
+    selinux: fine-tune netlink_tcpdiag_socket policy for all platforms
+    
+    Previous policy set did not apply correctly on ppc64le and aarch64
+    architectures.  After some tweaking the following set of permissions
+    was found to work on all the supported architectures and fixes the
+    behavior of the sockets PMDA.
+    
+    Related to Red Hat BZ #1981886.
+
+diff --git a/qa/917.out.in b/qa/917.out.in
+index 6a4356a12..f50ddc3c7 100644
+--- a/qa/917.out.in
++++ b/qa/917.out.in
+@@ -156,7 +156,7 @@ Checking policies.
+   allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
+ ! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
+ ! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
+-! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
++! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { getattr ioctl nlmsg_read nlmsg_write read write };
+   allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write };
+   allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
+   allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
+diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
+index 1462c5ccb..e6c34db3a 100644
+--- a/src/selinux/GNUlocaldefs
++++ b/src/selinux/GNUlocaldefs
+@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket {
+ endif
+ 
+ ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true"
+-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
+-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };"
++PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };"
++PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };"
+ endif
+ 
  ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"