diff --git a/pcp.spec b/pcp.spec index f2b7e05..ce4880f 100644 --- a/pcp.spec +++ b/pcp.spec @@ -1,6 +1,6 @@ Name: pcp Version: 5.3.7 -Release: 5%{?dist} +Release: 6%{?dist} Summary: System-level performance monitoring and performance management License: GPLv2+ and LGPLv2+ and CC-BY URL: https://pcp.io @@ -3353,8 +3353,10 @@ PCP_LOG_DIR=%{_logsdir} %files zeroconf -f pcp-zeroconf-files.rpm %changelog -* Thu May 05 2022 Nathan Scott - 5.3.7-5 +* Thu May 06 2022 Nathan Scott - 5.3.7-6 - Additional selinux policy rules for pmdasockets (BZ 1981886) + +* Thu May 05 2022 Nathan Scott - 5.3.7-5 - Harden pmdapostfix(1) against missing Postfix (BZ 2059463) - Fix cgroups failure on non-x86_64 platforms (BZ 2081262) diff --git a/redhat-bugzilla-1981886-pmdasockets-backporting.patch b/redhat-bugzilla-1981886-pmdasockets-backporting.patch index a2acfcf..fe9504b 100644 --- a/redhat-bugzilla-1981886-pmdasockets-backporting.patch +++ b/redhat-bugzilla-1981886-pmdasockets-backporting.patch @@ -415,4 +415,45 @@ index 1a1b1428c..1462c5ccb 100644 +PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };" endif + ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true" +commit 2ad43633709acd01427b3ec48577cd2502bf6023 +Author: Jan Kurik +Date: Fri May 6 08:04:46 2022 +1000 + + selinux: fine-tune netlink_tcpdiag_socket policy for all platforms + + Previous policy set did not apply correctly on ppc64le and aarch64 + architectures. After some tweaking the following set of permissions + was found to work on all the supported architectures and fixes the + behavior of the sockets PMDA. + + Related to Red Hat BZ #1981886. + +diff --git a/qa/917.out.in b/qa/917.out.in +index 6a4356a12..f50ddc3c7 100644 +--- a/qa/917.out.in ++++ b/qa/917.out.in +@@ -156,7 +156,7 @@ Checking policies. + allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans }; + ! allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read }; + ! allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans }; +-! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write }; ++! allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { getattr ioctl nlmsg_read nlmsg_write read write }; + allow [syslogd_t] [pcp_log_t] : [fifo_file] { open read write }; + allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; + allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read }; +diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs +index 1462c5ccb..e6c34db3a 100644 +--- a/src/selinux/GNUlocaldefs ++++ b/src/selinux/GNUlocaldefs +@@ -138,8 +138,8 @@ PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { + endif + + ifeq "$(PCP_SELINUX_NETLINK_TCPDIAG_SOCKET_CLASS)" "true" +-PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };" +-PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };" ++PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };" ++PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { getattr ioctl nlmsg_read nlmsg_write read write };" + endif + ifeq "$(PCP_SELINUX_LOCKDOWN_CLASS)" "true"