From 9571bdec95570ccd7494e1f81ee6f32843ddb99c Mon Sep 17 00:00:00 2001
From: Sam Feifer <sfeifer@redhat.com>
Date: Fri, 3 Jan 2025 16:19:05 -0500
Subject: [PATCH] Resolves: RHEL-69085

---
 pcp.spec                        |  6 +++++-
 selinux-pmie-and-pmlogger.patch | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 selinux-pmie-and-pmlogger.patch

diff --git a/pcp.spec b/pcp.spec
index 929f315..4f46d99 100644
--- a/pcp.spec
+++ b/pcp.spec
@@ -1,6 +1,6 @@
 Name:    pcp
 Version: 6.3.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPL-2.0-or-later AND LGPL-2.1-or-later AND CC-BY-3.0
 URL:     https://pcp.io
@@ -11,6 +11,7 @@ Patch0: pcp-xsos-fixes.patch
 # Keep xx-default-archive-version.patch for the life of RHEL9
 Patch1: redhat-issues-RHEL-2317-default-archive-version.patch
 Patch2: redhat-issues-RHEL-58953-perl-drop-Y2038-checks.patch
+Patch3: selinux-pmie-and-pmlogger.patch
 
 %if 0%{?fedora} >= 40 || 0%{?rhel} >= 10
 ExcludeArch: %{ix86}
@@ -3603,6 +3604,9 @@ fi
 %files zeroconf -f pcp-zeroconf-files.rpm
 
 %changelog
+* Fri Jan 3 2025 Sam Feifer <sfeifer@redhat.com> - 6.3.2-3
+- Fix selinux denials caused by pmie and pmlogger trying to access /dev/dm-*
+
 * Thu Nov 14 2024 Nathan Scott <nathans@redhat.com> - 6.3.2-2
 - Back-port upstream bug fixes for pcp-xsos(1).
 
diff --git a/selinux-pmie-and-pmlogger.patch b/selinux-pmie-and-pmlogger.patch
new file mode 100644
index 0000000..21cfc2b
--- /dev/null
+++ b/selinux-pmie-and-pmlogger.patch
@@ -0,0 +1,24 @@
+diff --git a/src/selinux/pcp.te b/src/selinux/pcp.te
+index 46d921b5c..c03d03674 100644
+--- a/src/selinux/pcp.te
++++ b/src/selinux/pcp.te
+@@ -906,6 +906,9 @@ allow pcp_pmlogger_t etc_t:dir { add_name read remove_name write };
+ allow pcp_pmlogger_t etc_t:file { create unlink write };
+ allow pcp_pmlogger_t cgroup_t:file { getattr read open append write };
+ 
++allow pcp_pmlogger_t fixed_disk_device_t:blk_file getattr;
++allow pcp_pmlogger_t sysfs_t:lnk_file read;
++
+ #============= pcp_pmie_t ==============
+ # type=AVC msg=audit(N): avc: denied { execute execute_no_trans getattr open read } for pid=PID comm="pmdaX" name="/" dev="tracefs" ino=INO scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+ allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read };
+@@ -940,6 +943,9 @@ allow pcp_pmie_t etc_t:dir { add_name read remove_name write };
+ allow pcp_pmie_t etc_t:file { create unlink write };
+ allow pcp_pmie_t cgroup_t:file { getattr read open append write };
+ 
++allow pcp_pmie_t fixed_disk_device_t:blk_file getattr;
++allow pcp_pmie_t sysfs_t:lnk_file read;
++
+ #============= pmda-lio ==============
+ # type=AVC msg=audit(N): avc: denied { open read search write } for  pid=PID comm="pmdaX" name="/" dev="tracefs" ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
+ allow pcp_pmcd_t configfs_t:dir { open read search write };