Add redhat-bugzilla-1926756.patch and bump to 5.2.5-3.
Next new src tarball will be from upstream 5.3.0.
This commit is contained in:
parent
9c8bdd69c0
commit
af8c520034
9
pcp.spec
9
pcp.spec
@ -1,6 +1,6 @@
|
|||||||
Name: pcp
|
Name: pcp
|
||||||
Version: 5.2.5
|
Version: 5.2.5
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: System-level performance monitoring and performance management
|
Summary: System-level performance monitoring and performance management
|
||||||
License: GPLv2+ and LGPLv2+ and CC-BY
|
License: GPLv2+ and LGPLv2+ and CC-BY
|
||||||
URL: https://pcp.io
|
URL: https://pcp.io
|
||||||
@ -8,6 +8,8 @@ URL: https://pcp.io
|
|||||||
%global bintray https://bintray.com/artifact/download
|
%global bintray https://bintray.com/artifact/download
|
||||||
Source0: %{bintray}/pcp/source/pcp-%{version}.src.tar.gz
|
Source0: %{bintray}/pcp/source/pcp-%{version}.src.tar.gz
|
||||||
|
|
||||||
|
Patch000: redhat-bugzilla-1926756.patch
|
||||||
|
|
||||||
%if 0%{?fedora} >= 26 || 0%{?rhel} > 7
|
%if 0%{?fedora} >= 26 || 0%{?rhel} > 7
|
||||||
%global __python2 python2
|
%global __python2 python2
|
||||||
%else
|
%else
|
||||||
@ -2246,6 +2248,7 @@ updated policy package.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch000 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# fix up build version
|
# fix up build version
|
||||||
@ -3307,6 +3310,10 @@ chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null
|
|||||||
%files zeroconf -f pcp-zeroconf-files.rpm
|
%files zeroconf -f pcp-zeroconf-files.rpm
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 12 2021 Mark Goodwin <mgoodwin@redhat.com> - 5.2.5-3
|
||||||
|
- specify pmns_name in sockets PMDA Install and Remove scripts
|
||||||
|
- add selinux rules for pmcd to use netlink tcpdiag sockets (BZ 1926756)
|
||||||
|
|
||||||
* Wed Feb 10 2021 Nathan Scott <nathans@redhat.com> - 5.2.5-2
|
* Wed Feb 10 2021 Nathan Scott <nathans@redhat.com> - 5.2.5-2
|
||||||
- Update to latest PCP sources.
|
- Update to latest PCP sources.
|
||||||
- Fix pcp-dstat(1) sample count being off-by-one (BZ 1922768)
|
- Fix pcp-dstat(1) sample count being off-by-one (BZ 1922768)
|
||||||
|
205
redhat-bugzilla-1926756.patch
Normal file
205
redhat-bugzilla-1926756.patch
Normal file
@ -0,0 +1,205 @@
|
|||||||
|
commit d7679bd7cbb94692250a450bccf9f01cb982467f
|
||||||
|
Author: Mark Goodwin <mgoodwin@redhat.com>
|
||||||
|
Date: Fri Feb 12 10:12:59 2021 +1100
|
||||||
|
|
||||||
|
selinux, qa: allow pmcd to use netlink_tcpdiag_socket for sockets PMDA
|
||||||
|
|
||||||
|
Add SELinux rules allowing pmcd to create, setopt, bind, getattr and
|
||||||
|
nlmsg_read to netlink tcpdiag sockets. Needed by pmdasockets.
|
||||||
|
|
||||||
|
Update qa/1622 and 917.
|
||||||
|
|
||||||
|
Resolves: RHBZ#1926756
|
||||||
|
|
||||||
|
diff --git a/qa/1622 b/qa/1622
|
||||||
|
index 83f260d6d..f62b5f89a 100755
|
||||||
|
--- a/qa/1622
|
||||||
|
+++ b/qa/1622
|
||||||
|
@@ -216,6 +216,11 @@ type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY co
|
||||||
|
type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0
|
||||||
|
type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0
|
||||||
|
type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
|
||||||
|
+type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Silence is golden ... all AVC's are allowed by active policy"
|
||||||
|
diff --git a/qa/917.out.in b/qa/917.out.in
|
||||||
|
index 69c3b2d12..ddec57f9c 100644
|
||||||
|
--- a/qa/917.out.in
|
||||||
|
+++ b/qa/917.out.in
|
||||||
|
@@ -125,6 +125,7 @@ Checking policies.
|
||||||
|
allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
|
||||||
|
allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
|
||||||
|
allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
|
||||||
|
+ allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt };
|
||||||
|
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
|
||||||
|
allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
|
||||||
|
allow [pcp_pmie_t] [etc_t] : [dir] { open read search getattr lock ioctl };
|
||||||
|
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
|
||||||
|
index 30b67d907..cbfa34c14 100644
|
||||||
|
--- a/src/selinux/GNUlocaldefs
|
||||||
|
+++ b/src/selinux/GNUlocaldefs
|
||||||
|
@@ -118,5 +118,7 @@ endif
|
||||||
|
|
||||||
|
ifeq "$(PCP_SELINUX_NETLINK_GENERIC_SOCKET_CLASS)" "true"
|
||||||
|
PCP_NETLINK_GENERIC_SOCKET_CLASS="class netlink_generic_socket { bind create getattr setopt write read };"
|
||||||
|
+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
|
||||||
|
PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { bind create getattr setopt write read };"
|
||||||
|
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
|
||||||
|
endif
|
||||||
|
diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
|
||||||
|
index e16859d7e..d04644fcb 100644
|
||||||
|
--- a/src/selinux/GNUmakefile
|
||||||
|
+++ b/src/selinux/GNUmakefile
|
||||||
|
@@ -80,6 +80,8 @@ $(IAM).te: $(IAM).te.in
|
||||||
|
-e 's+@PCP_ICMP_SOCKET_RULE@+'$(PCP_ICMP_SOCKET_RULE)'+' \
|
||||||
|
-e 's+@PCP_NETLINK_GENERIC_SOCKET_CLASS@+'$(PCP_NETLINK_GENERIC_SOCKET_CLASS)'+' \
|
||||||
|
-e 's+@PCP_NETLINK_GENERIC_SOCKET_RULE@+'$(PCP_NETLINK_GENERIC_SOCKET_RULE)'+' \
|
||||||
|
+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_CLASS@+'$(PCP_NETLINK_TCPDIAG_SOCKET_CLASS)'+' \
|
||||||
|
+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@+'$(PCP_NETLINK_TCPDIAG_SOCKET_RULE)'+' \
|
||||||
|
-e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \
|
||||||
|
-e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \
|
||||||
|
|
||||||
|
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
|
||||||
|
index 36a043be1..d935aee36 100644
|
||||||
|
--- a/src/selinux/pcpupstream.te.in
|
||||||
|
+++ b/src/selinux/pcpupstream.te.in
|
||||||
|
@@ -90,6 +90,7 @@ require {
|
||||||
|
@PCP_BPF_CLASS@
|
||||||
|
class system { module_request };
|
||||||
|
@PCP_NETLINK_GENERIC_SOCKET_CLASS@
|
||||||
|
+ @PCP_NETLINK_TCPDIAG_SOCKET_CLASS@
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= init_t ==============
|
||||||
|
@@ -423,3 +424,11 @@ allow pcp_pmcd_t drbd_exec_t:file { execute execute_no_trans };
|
||||||
|
# pmda-hacluster requirements for checking sbd
|
||||||
|
# type=AVC msg=audit(XXX.81): avc: denied { execute_no_trans } for pid=421434 comm="sh" path="/usr/sbin/sbd" dev="vda1" ino=1050019 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sbd_exec_t:s0 tclass=file permissive=1
|
||||||
|
@PCP_SBD_EXEC_RULE@
|
||||||
|
+
|
||||||
|
+#=========== pmda-sockets ============
|
||||||
|
+# type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+# type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+# type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+# type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+# type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
|
||||||
|
+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@
|
||||||
|
|
||||||
|
commit a49772607d80b25b2ae4b8764be709bb27d7e16f
|
||||||
|
Author: Mark Goodwin <mgoodwin@redhat.com>
|
||||||
|
Date: Fri Feb 12 10:09:23 2021 +1100
|
||||||
|
|
||||||
|
pmdasockets: minor changes to Install and Remove, add -U username
|
||||||
|
|
||||||
|
Specify pmns_name in Install and Remove scripts since the pmda name
|
||||||
|
differs to the namespace. Add -U username for optional use when run
|
||||||
|
as a daemon.
|
||||||
|
|
||||||
|
diff --git a/src/pmdas/linux_sockets/GNUmakefile b/src/pmdas/linux_sockets/GNUmakefile
|
||||||
|
index 34897f2e9..a32987ef7 100644
|
||||||
|
--- a/src/pmdas/linux_sockets/GNUmakefile
|
||||||
|
+++ b/src/pmdas/linux_sockets/GNUmakefile
|
||||||
|
@@ -31,7 +31,7 @@ HFILES = indom.h cluster.h ss_stats.h
|
||||||
|
LLDLIBS = $(PCP_PMDALIB)
|
||||||
|
LCFLAGS = $(INVISIBILITY)
|
||||||
|
|
||||||
|
-SCRIPTS = Install Remove
|
||||||
|
+SCRIPTS = Install Remove Upgrade
|
||||||
|
VERSION_SCRIPT = exports
|
||||||
|
LDIRT = domain.h $(VERSION_SCRIPT) $(IAM).log
|
||||||
|
|
||||||
|
diff --git a/src/pmdas/linux_sockets/Install b/src/pmdas/linux_sockets/Install
|
||||||
|
index 4bc934c96..28d7c7f9e 100755
|
||||||
|
--- a/src/pmdas/linux_sockets/Install
|
||||||
|
+++ b/src/pmdas/linux_sockets/Install
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#! /bin/sh
|
||||||
|
+#!/usr/bin/sh
|
||||||
|
#
|
||||||
|
# Copyright (c) 2021 Red Hat.
|
||||||
|
#
|
||||||
|
@@ -25,6 +25,8 @@ dso_opt=true
|
||||||
|
pipe_opt=false
|
||||||
|
daemon_opt=false
|
||||||
|
|
||||||
|
+pmns_name=network.persocket # differs to PMDA name
|
||||||
|
+
|
||||||
|
which ss >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]
|
||||||
|
then
|
||||||
|
diff --git a/src/pmdas/linux_sockets/Remove b/src/pmdas/linux_sockets/Remove
|
||||||
|
index 26edc85aa..3fee6a0e6 100755
|
||||||
|
--- a/src/pmdas/linux_sockets/Remove
|
||||||
|
+++ b/src/pmdas/linux_sockets/Remove
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#! /bin/sh
|
||||||
|
+#!/usr/bin/sh
|
||||||
|
#
|
||||||
|
# Copyright (c) 2021 Red Hat.
|
||||||
|
#
|
||||||
|
@@ -19,6 +19,7 @@
|
||||||
|
. $PCP_SHARE_DIR/lib/pmdaproc.sh
|
||||||
|
|
||||||
|
iam=sockets
|
||||||
|
+pmns_name=network.persocket # differs to PMDA name
|
||||||
|
|
||||||
|
pmdaSetup
|
||||||
|
pmdaRemove
|
||||||
|
diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c
|
||||||
|
index 9bca5d9d0..fab4be290 100644
|
||||||
|
--- a/src/pmdas/linux_sockets/pmda.c
|
||||||
|
+++ b/src/pmdas/linux_sockets/pmda.c
|
||||||
|
@@ -23,6 +23,7 @@
|
||||||
|
#include "ss_stats.h"
|
||||||
|
|
||||||
|
static int _isDSO = 1; /* for local contexts */
|
||||||
|
+static char *username;
|
||||||
|
|
||||||
|
/* metrics supported in this PMDA - see metrictab.c */
|
||||||
|
extern pmdaMetric metrictable[];
|
||||||
|
@@ -200,6 +201,8 @@ sockets_init(pmdaInterface *dp)
|
||||||
|
pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
|
||||||
|
pmdaDSO(dp, PMDA_INTERFACE_7, "SOCKETS DSO", helppath);
|
||||||
|
}
|
||||||
|
+ else
|
||||||
|
+ pmSetProcessIdentity(username);
|
||||||
|
|
||||||
|
if (dp->status != 0)
|
||||||
|
return;
|
||||||
|
@@ -227,12 +230,13 @@ static pmLongOptions longopts[] = {
|
||||||
|
PMOPT_DEBUG,
|
||||||
|
PMDAOPT_DOMAIN,
|
||||||
|
PMDAOPT_LOGFILE,
|
||||||
|
+ PMDAOPT_USERNAME,
|
||||||
|
PMOPT_HELP,
|
||||||
|
PMDA_OPTIONS_END
|
||||||
|
};
|
||||||
|
|
||||||
|
static pmdaOptions opts = {
|
||||||
|
- .short_options = "D:d:l:?",
|
||||||
|
+ .short_options = "D:d:l:U:?",
|
||||||
|
.long_options = longopts,
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -248,6 +252,7 @@ main(int argc, char **argv)
|
||||||
|
|
||||||
|
_isDSO = 0;
|
||||||
|
pmSetProgname(argv[0]);
|
||||||
|
+ pmGetUsername(&username);
|
||||||
|
pmsprintf(helppath, sizeof(helppath), "%s%c" "sockets" "%c" "help",
|
||||||
|
pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
|
||||||
|
pmdaDaemon(&dispatch, PMDA_INTERFACE_7, pmGetProgname(), SOCKETS, "sockets.log", helppath);
|
||||||
|
@@ -257,6 +262,8 @@ main(int argc, char **argv)
|
||||||
|
pmdaUsageMessage(&opts);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
+ if (opts.username)
|
||||||
|
+ username = opts.username;
|
||||||
|
|
||||||
|
pmdaOpenLog(&dispatch);
|
||||||
|
sockets_init(&dispatch);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user