Update selinux policy for pmlogger_daily

Resolves Red Hat BZ #2208154
2023-06-15 16:41:58 +10:00 · 2023-06-15 16:41:58 +10:00 · a6e85190e6
commit a6e85190e6
parent 3189c84fd5
2 changed files with 43 additions and 1 deletions
--- a/pcp.spec
+++ b/pcp.spec
@ -1,12 +1,13 @@
 Name:    pcp
 Version: 6.0.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPLv2+ and LGPLv2+ and CC-BY
 URL:     https://pcp.io

 %global  artifactory https://performancecopilot.jfrog.io/artifactory
 Source0: %{artifactory}/pcp-source-release/pcp-%{version}.src.tar.gz
+Patch0:  redhat-bugzilla-2208154-selinux-pmlogger_daily.patch

 # The additional linker flags break out-of-tree PMDAs.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@ -3362,6 +3363,9 @@ fi
 %files zeroconf -f pcp-zeroconf-files.rpm

 %changelog
+* Thu Jun 15 2023 Nathan Scott <nathans@redhat.com> - 6.0.4-2
+- Resolve an selinux issue with pmlogger_daily (BZ 2208154)
+
 * Mon May 15 2023 Nathan Scott <nathans@redhat.com> - 6.0.4-1
 - Ensure pmcd.conf not rewritten needlessly (BZ 2166819)
 - Add support for pmieconf webhook action (BZ 2185803)
--- a/redhat-bugzilla-2208154-selinux-pmlogger_daily.patch
+++ b/redhat-bugzilla-2208154-selinux-pmlogger_daily.patch
@ -0,0 +1,38 @@
+diff -Naurp pcp-6.0.4.orig/src/selinux/pcp.te pcp-6.0.4/src/selinux/pcp.te
+--- pcp-6.0.4.orig/src/selinux/pcp.te	2023-02-10 10:38:09.000000000 +1100
+++ pcp-6.0.4/src/selinux/pcp.te	2023-06-15 16:28:52.975028504 +1000
+@@ -279,6 +279,7 @@ allow pcp_pmlogger_t pcp_pmcd_t:unix_str
+ allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;
+allow pcp_pmlogger_t ldconfig_exec_t:file { execute execute_no_trans };
+ 
+ dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace };
+ 
+@@ -313,6 +314,10 @@ optional_policy(`
+     rpm_script_signal(pcp_pmlogger_t)
+ ')
+ 
+optional_policy(`
+    userdom_setattr_user_home_content_files(pcp_pmlogger_t)
+')
+
+ ########################################
+ #
+ # pcp_plugin local  policy
+diff -Naurp pcp-6.0.4.orig/src/selinux/README pcp-6.0.4/src/selinux/README
+--- pcp-6.0.4.orig/src/selinux/README	2023-02-10 10:38:09.000000000 +1100
+++ pcp-6.0.4/src/selinux/README	2023-06-15 16:28:52.975028504 +1000
+@@ -98,8 +98,10 @@ In the src/selinux directory
+ == Installing ==
+ 
+     $ sudo semodule -X 200 -r pcp
+-(expect this to fail if a revised pcp.pp module has not previously
+-been installed)
+
+expect this to fail if a revised pcp.pp module has not previously
+been installed, in which case you'll need
+
+     $ sudo semodule -X 200 -i pcp.pp
+ 
+ or if semodule is too old to understand -X 200