Resolves: RHEL-73297

This commit is contained in:
Sam Feifer 2025-01-09 10:46:02 -05:00
parent 2b9e058c3a
commit 7a099620e3
2 changed files with 29 additions and 1 deletions

View File

@ -1,6 +1,6 @@
Name: pcp Name: pcp
Version: 6.3.2 Version: 6.3.2
Release: 2%{?dist} Release: 3%{?dist}
Summary: System-level performance monitoring and performance management Summary: System-level performance monitoring and performance management
License: GPL-2.0-or-later AND LGPL-2.1-or-later AND CC-BY-3.0 License: GPL-2.0-or-later AND LGPL-2.1-or-later AND CC-BY-3.0
URL: https://pcp.io URL: https://pcp.io
@ -8,6 +8,7 @@ URL: https://pcp.io
Source0: https://github.com/performancecopilot/pcp/releases/pcp-%{version}.src.tar.gz Source0: https://github.com/performancecopilot/pcp/releases/pcp-%{version}.src.tar.gz
Patch0: pcp-xsos-fixes.patch Patch0: pcp-xsos-fixes.patch
Patch1: selinux-pmie-and-pmlogger.patch
%if 0%{?fedora} >= 40 || 0%{?rhel} >= 10 %if 0%{?fedora} >= 40 || 0%{?rhel} >= 10
ExcludeArch: %{ix86} ExcludeArch: %{ix86}
@ -3600,6 +3601,9 @@ fi
%files zeroconf -f pcp-zeroconf-files.rpm %files zeroconf -f pcp-zeroconf-files.rpm
%changelog %changelog
* Thu Jan 9 2025 Sam Feifer <sfeifer@redhat.com> - 6.3.2-3
- Fix selinux denials caused by pmie and pmlogger trying to access /dev/dm-*
* Thu Nov 14 2024 Nathan Scott <nathans@redhat.com> - 6.3.2-2 * Thu Nov 14 2024 Nathan Scott <nathans@redhat.com> - 6.3.2-2
- Back-port upstream bug fixes for pcp-xsos(1). - Back-port upstream bug fixes for pcp-xsos(1).

View File

@ -0,0 +1,24 @@
diff --git a/src/selinux/pcp.te b/src/selinux/pcp.te
index 46d921b5c..c03d03674 100644
--- a/src/selinux/pcp.te
+++ b/src/selinux/pcp.te
@@ -906,6 +906,9 @@ allow pcp_pmlogger_t etc_t:dir { add_name read remove_name write };
allow pcp_pmlogger_t etc_t:file { create unlink write };
allow pcp_pmlogger_t cgroup_t:file { getattr read open append write };
+allow pcp_pmlogger_t fixed_disk_device_t:blk_file getattr;
+allow pcp_pmlogger_t sysfs_t:lnk_file read;
+
#============= pcp_pmie_t ==============
# type=AVC msg=audit(N): avc: denied { execute execute_no_trans getattr open read } for pid=PID comm="pmdaX" name="/" dev="tracefs" ino=INO scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read };
@@ -940,6 +943,9 @@ allow pcp_pmie_t etc_t:dir { add_name read remove_name write };
allow pcp_pmie_t etc_t:file { create unlink write };
allow pcp_pmie_t cgroup_t:file { getattr read open append write };
+allow pcp_pmie_t fixed_disk_device_t:blk_file getattr;
+allow pcp_pmie_t sysfs_t:lnk_file read;
+
#============= pmda-lio ==============
# type=AVC msg=audit(N): avc: denied { open read search write } for pid=PID comm="pmdaX" name="/" dev="tracefs" ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
allow pcp_pmcd_t configfs_t:dir { open read search write };