From 7a099620e3cfe0b745633d4f1e6d3bdd81609c0c Mon Sep 17 00:00:00 2001 From: Sam Feifer Date: Thu, 9 Jan 2025 10:46:02 -0500 Subject: [PATCH] Resolves: RHEL-73297 --- pcp.spec | 6 +++++- selinux-pmie-and-pmlogger.patch | 24 ++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 selinux-pmie-and-pmlogger.patch diff --git a/pcp.spec b/pcp.spec index 879484e..e172d73 100644 --- a/pcp.spec +++ b/pcp.spec @@ -1,6 +1,6 @@ Name: pcp Version: 6.3.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: System-level performance monitoring and performance management License: GPL-2.0-or-later AND LGPL-2.1-or-later AND CC-BY-3.0 URL: https://pcp.io @@ -8,6 +8,7 @@ URL: https://pcp.io Source0: https://github.com/performancecopilot/pcp/releases/pcp-%{version}.src.tar.gz Patch0: pcp-xsos-fixes.patch +Patch1: selinux-pmie-and-pmlogger.patch %if 0%{?fedora} >= 40 || 0%{?rhel} >= 10 ExcludeArch: %{ix86} @@ -3600,6 +3601,9 @@ fi %files zeroconf -f pcp-zeroconf-files.rpm %changelog +* Thu Jan 9 2025 Sam Feifer - 6.3.2-3 +- Fix selinux denials caused by pmie and pmlogger trying to access /dev/dm-* + * Thu Nov 14 2024 Nathan Scott - 6.3.2-2 - Back-port upstream bug fixes for pcp-xsos(1). diff --git a/selinux-pmie-and-pmlogger.patch b/selinux-pmie-and-pmlogger.patch new file mode 100644 index 0000000..21cfc2b --- /dev/null +++ b/selinux-pmie-and-pmlogger.patch @@ -0,0 +1,24 @@ +diff --git a/src/selinux/pcp.te b/src/selinux/pcp.te +index 46d921b5c..c03d03674 100644 +--- a/src/selinux/pcp.te ++++ b/src/selinux/pcp.te +@@ -906,6 +906,9 @@ allow pcp_pmlogger_t etc_t:dir { add_name read remove_name write }; + allow pcp_pmlogger_t etc_t:file { create unlink write }; + allow pcp_pmlogger_t cgroup_t:file { getattr read open append write }; + ++allow pcp_pmlogger_t fixed_disk_device_t:blk_file getattr; ++allow pcp_pmlogger_t sysfs_t:lnk_file read; ++ + #============= pcp_pmie_t ============== + # type=AVC msg=audit(N): avc: denied { execute execute_no_trans getattr open read } for pid=PID comm="pmdaX" name="/" dev="tracefs" ino=INO scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 + allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read }; +@@ -940,6 +943,9 @@ allow pcp_pmie_t etc_t:dir { add_name read remove_name write }; + allow pcp_pmie_t etc_t:file { create unlink write }; + allow pcp_pmie_t cgroup_t:file { getattr read open append write }; + ++allow pcp_pmie_t fixed_disk_device_t:blk_file getattr; ++allow pcp_pmie_t sysfs_t:lnk_file read; ++ + #============= pmda-lio ============== + # type=AVC msg=audit(N): avc: denied { open read search write } for pid=PID comm="pmdaX" name="/" dev="tracefs" ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0 + allow pcp_pmcd_t configfs_t:dir { open read search write };