From af8c520034c27f6e0c2c95121e6445f8e4545473 Mon Sep 17 00:00:00 2001 From: Mark Goodwin Date: Fri, 12 Feb 2021 16:17:01 +1100 Subject: [PATCH] Add redhat-bugzilla-1926756.patch and bump to 5.2.5-3. Next new src tarball will be from upstream 5.3.0. --- pcp.spec | 9 +- redhat-bugzilla-1926756.patch | 205 ++++++++++++++++++++++++++++++++++ 2 files changed, 213 insertions(+), 1 deletion(-) create mode 100644 redhat-bugzilla-1926756.patch diff --git a/pcp.spec b/pcp.spec index f46b8c6..189b174 100644 --- a/pcp.spec +++ b/pcp.spec @@ -1,6 +1,6 @@ Name: pcp Version: 5.2.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: System-level performance monitoring and performance management License: GPLv2+ and LGPLv2+ and CC-BY URL: https://pcp.io @@ -8,6 +8,8 @@ URL: https://pcp.io %global bintray https://bintray.com/artifact/download Source0: %{bintray}/pcp/source/pcp-%{version}.src.tar.gz +Patch000: redhat-bugzilla-1926756.patch + %if 0%{?fedora} >= 26 || 0%{?rhel} > 7 %global __python2 python2 %else @@ -2246,6 +2248,7 @@ updated policy package. %prep %setup -q +%patch000 -p1 %build # fix up build version @@ -3307,6 +3310,10 @@ chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null %files zeroconf -f pcp-zeroconf-files.rpm %changelog +* Fri Feb 12 2021 Mark Goodwin - 5.2.5-3 +- specify pmns_name in sockets PMDA Install and Remove scripts +- add selinux rules for pmcd to use netlink tcpdiag sockets (BZ 1926756) + * Wed Feb 10 2021 Nathan Scott - 5.2.5-2 - Update to latest PCP sources. - Fix pcp-dstat(1) sample count being off-by-one (BZ 1922768) diff --git a/redhat-bugzilla-1926756.patch b/redhat-bugzilla-1926756.patch new file mode 100644 index 0000000..779923d --- /dev/null +++ b/redhat-bugzilla-1926756.patch @@ -0,0 +1,205 @@ +commit d7679bd7cbb94692250a450bccf9f01cb982467f +Author: Mark Goodwin +Date: Fri Feb 12 10:12:59 2021 +1100 + + selinux, qa: allow pmcd to use netlink_tcpdiag_socket for sockets PMDA + + Add SELinux rules allowing pmcd to create, setopt, bind, getattr and + nlmsg_read to netlink tcpdiag sockets. Needed by pmdasockets. + + Update qa/1622 and 917. + + Resolves: RHBZ#1926756 + +diff --git a/qa/1622 b/qa/1622 +index 83f260d6d..f62b5f89a 100755 +--- a/qa/1622 ++++ b/qa/1622 +@@ -216,6 +216,11 @@ type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY co + type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0 + type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0 + type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 ++type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 + EOF + + echo "Silence is golden ... all AVC's are allowed by active policy" +diff --git a/qa/917.out.in b/qa/917.out.in +index 69c3b2d12..ddec57f9c 100644 +--- a/qa/917.out.in ++++ b/qa/917.out.in +@@ -125,6 +125,7 @@ Checking policies. + allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans }; + allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read }; + allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans }; ++ allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt }; + allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; + allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read }; + allow [pcp_pmie_t] [etc_t] : [dir] { open read search getattr lock ioctl }; +diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs +index 30b67d907..cbfa34c14 100644 +--- a/src/selinux/GNUlocaldefs ++++ b/src/selinux/GNUlocaldefs +@@ -118,5 +118,7 @@ endif + + ifeq "$(PCP_SELINUX_NETLINK_GENERIC_SOCKET_CLASS)" "true" + PCP_NETLINK_GENERIC_SOCKET_CLASS="class netlink_generic_socket { bind create getattr setopt write read };" ++PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" + PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { bind create getattr setopt write read };" ++PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" + endif +diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile +index e16859d7e..d04644fcb 100644 +--- a/src/selinux/GNUmakefile ++++ b/src/selinux/GNUmakefile +@@ -80,6 +80,8 @@ $(IAM).te: $(IAM).te.in + -e 's+@PCP_ICMP_SOCKET_RULE@+'$(PCP_ICMP_SOCKET_RULE)'+' \ + -e 's+@PCP_NETLINK_GENERIC_SOCKET_CLASS@+'$(PCP_NETLINK_GENERIC_SOCKET_CLASS)'+' \ + -e 's+@PCP_NETLINK_GENERIC_SOCKET_RULE@+'$(PCP_NETLINK_GENERIC_SOCKET_RULE)'+' \ ++ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_CLASS@+'$(PCP_NETLINK_TCPDIAG_SOCKET_CLASS)'+' \ ++ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@+'$(PCP_NETLINK_TCPDIAG_SOCKET_RULE)'+' \ + -e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \ + -e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \ + +diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in +index 36a043be1..d935aee36 100644 +--- a/src/selinux/pcpupstream.te.in ++++ b/src/selinux/pcpupstream.te.in +@@ -90,6 +90,7 @@ require { + @PCP_BPF_CLASS@ + class system { module_request }; + @PCP_NETLINK_GENERIC_SOCKET_CLASS@ ++ @PCP_NETLINK_TCPDIAG_SOCKET_CLASS@ + } + + #============= init_t ============== +@@ -423,3 +424,11 @@ allow pcp_pmcd_t drbd_exec_t:file { execute execute_no_trans }; + # pmda-hacluster requirements for checking sbd + # type=AVC msg=audit(XXX.81): avc: denied { execute_no_trans } for pid=421434 comm="sh" path="/usr/sbin/sbd" dev="vda1" ino=1050019 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sbd_exec_t:s0 tclass=file permissive=1 + @PCP_SBD_EXEC_RULE@ ++ ++#=========== pmda-sockets ============ ++# type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++# type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++# type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++# type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++# type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 ++@PCP_NETLINK_TCPDIAG_SOCKET_RULE@ + +commit a49772607d80b25b2ae4b8764be709bb27d7e16f +Author: Mark Goodwin +Date: Fri Feb 12 10:09:23 2021 +1100 + + pmdasockets: minor changes to Install and Remove, add -U username + + Specify pmns_name in Install and Remove scripts since the pmda name + differs to the namespace. Add -U username for optional use when run + as a daemon. + +diff --git a/src/pmdas/linux_sockets/GNUmakefile b/src/pmdas/linux_sockets/GNUmakefile +index 34897f2e9..a32987ef7 100644 +--- a/src/pmdas/linux_sockets/GNUmakefile ++++ b/src/pmdas/linux_sockets/GNUmakefile +@@ -31,7 +31,7 @@ HFILES = indom.h cluster.h ss_stats.h + LLDLIBS = $(PCP_PMDALIB) + LCFLAGS = $(INVISIBILITY) + +-SCRIPTS = Install Remove ++SCRIPTS = Install Remove Upgrade + VERSION_SCRIPT = exports + LDIRT = domain.h $(VERSION_SCRIPT) $(IAM).log + +diff --git a/src/pmdas/linux_sockets/Install b/src/pmdas/linux_sockets/Install +index 4bc934c96..28d7c7f9e 100755 +--- a/src/pmdas/linux_sockets/Install ++++ b/src/pmdas/linux_sockets/Install +@@ -1,4 +1,4 @@ +-#! /bin/sh ++#!/usr/bin/sh + # + # Copyright (c) 2021 Red Hat. + # +@@ -25,6 +25,8 @@ dso_opt=true + pipe_opt=false + daemon_opt=false + ++pmns_name=network.persocket # differs to PMDA name ++ + which ss >/dev/null 2>&1 + if [ $? -ne 0 ] + then +diff --git a/src/pmdas/linux_sockets/Remove b/src/pmdas/linux_sockets/Remove +index 26edc85aa..3fee6a0e6 100755 +--- a/src/pmdas/linux_sockets/Remove ++++ b/src/pmdas/linux_sockets/Remove +@@ -1,4 +1,4 @@ +-#! /bin/sh ++#!/usr/bin/sh + # + # Copyright (c) 2021 Red Hat. + # +@@ -19,6 +19,7 @@ + . $PCP_SHARE_DIR/lib/pmdaproc.sh + + iam=sockets ++pmns_name=network.persocket # differs to PMDA name + + pmdaSetup + pmdaRemove +diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c +index 9bca5d9d0..fab4be290 100644 +--- a/src/pmdas/linux_sockets/pmda.c ++++ b/src/pmdas/linux_sockets/pmda.c +@@ -23,6 +23,7 @@ + #include "ss_stats.h" + + static int _isDSO = 1; /* for local contexts */ ++static char *username; + + /* metrics supported in this PMDA - see metrictab.c */ + extern pmdaMetric metrictable[]; +@@ -200,6 +201,8 @@ sockets_init(pmdaInterface *dp) + pmGetConfig("PCP_PMDAS_DIR"), sep, sep); + pmdaDSO(dp, PMDA_INTERFACE_7, "SOCKETS DSO", helppath); + } ++ else ++ pmSetProcessIdentity(username); + + if (dp->status != 0) + return; +@@ -227,12 +230,13 @@ static pmLongOptions longopts[] = { + PMOPT_DEBUG, + PMDAOPT_DOMAIN, + PMDAOPT_LOGFILE, ++ PMDAOPT_USERNAME, + PMOPT_HELP, + PMDA_OPTIONS_END + }; + + static pmdaOptions opts = { +- .short_options = "D:d:l:?", ++ .short_options = "D:d:l:U:?", + .long_options = longopts, + }; + +@@ -248,6 +252,7 @@ main(int argc, char **argv) + + _isDSO = 0; + pmSetProgname(argv[0]); ++ pmGetUsername(&username); + pmsprintf(helppath, sizeof(helppath), "%s%c" "sockets" "%c" "help", + pmGetConfig("PCP_PMDAS_DIR"), sep, sep); + pmdaDaemon(&dispatch, PMDA_INTERFACE_7, pmGetProgname(), SOCKETS, "sockets.log", helppath); +@@ -257,6 +262,8 @@ main(int argc, char **argv) + pmdaUsageMessage(&opts); + exit(1); + } ++ if (opts.username) ++ username = opts.username; + + pmdaOpenLog(&dispatch); + sockets_init(&dispatch); +