rpms/pcp
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update 9.0-beta to pcp-5.3.0 with selinux and a spec patch.

Browse Source 
Resolves: rhbz#1957575
Resolves: rhbz#1940971
Resolves: rhbz#1942879
This commit is contained in:
Nathan Scott 2021-05-06 15:15:30 +10:00
parent 3ad1352bb1
commit cca1c17b35
5 changed files with 129 additions and 257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
pcp.spec
View File

@ -1,15 +1,14 @@
Name: pcp
Version: 5.2.5
Release: 5%{?dist}
Version: 5.3.0
Release: 1%{?dist}
Summary: System-level performance monitoring and performance management
License: GPLv2+ and LGPLv2+ and CC-BY
URL: https://pcp.io
%global bintray https://bintray.com/artifact/download
Source0: %{bintray}/pcp/source/pcp-%{version}.src.tar.gz
%global artifactory https://performancecopilot.jfrog.io/artifactory
Source0: %{artifactory}/pcp-source-release/pcp-%{version}.src.tar.gz
Patch000: redhat-bugzilla-1926756.patch
Patch001: redhat-bugzilla-1930284.patch
Patch000: redhat-bugzilla-1940971.patch
%if 0%{?fedora} >= 26 || 0%{?rhel} > 7
%global __python2 python2
@ -211,6 +210,16 @@ Provides: pcp-webapi = %{version}-%{release}
Obsoletes: pcp-manager-debuginfo < 5.2.0
Obsoletes: pcp-manager < 5.2.0
# Some older releases did not update or replace pcp-gui-debuginfo properly
%if 0%{?fedora} < 27 && 0%{?rhel} <= 7 && "%{_vendor}" == "redhat"
Obsoletes: pcp-gui-debuginfo < 4.1.1
%endif
Obsoletes: pcp-compat < 4.2.0
Obsoletes: pcp-monitor < 4.2.0
Obsoletes: pcp-collector < 4.2.0
Obsoletes: pcp-pmda-nvidia < 3.10.5
# https://fedoraproject.org/wiki/Packaging "C and C++"
BuildRequires: make
BuildRequires: gcc gcc-c++
@ -261,7 +270,8 @@ BuildRequires: perl-generators
%endif
BuildRequires: perl-devel perl(strict)
BuildRequires: perl(ExtUtils::MakeMaker) perl(LWP::UserAgent) perl(JSON)
BuildRequires: perl(LWP::UserAgent) perl(Time::HiRes) perl(Digest::MD5)
BuildRequires: perl(Time::HiRes) perl(Digest::MD5)
BuildRequires: perl(XML::LibXML) perl(File::Slurp)
BuildRequires: man %{_hostname_executable}
%if !%{disable_systemd}
BuildRequires: systemd-devel systemd-rpm-macros
@ -277,23 +287,14 @@ BuildRequires: qt5-qtsvg-devel
%endif
Requires: bash xz gawk sed grep findutils which %{_hostname_executable}
%if 0%{?rhel} > 8
Requires: cyrus-sasl-scram
%endif
Requires: pcp-libs = %{version}-%{release}
%if !%{disable_selinux}
Requires: pcp-selinux = %{version}-%{release}
%endif
# Some older releases did not update or replace pcp-gui-debuginfo properly
%if 0%{?fedora} < 27 && 0%{?rhel} <= 7 && "%{_vendor}" == "redhat"
Obsoletes: pcp-gui-debuginfo < 4.1.1
%endif
Obsoletes: pcp-compat < 4.2.0
Obsoletes: pcp-monitor < 4.2.0
Obsoletes: pcp-collector < 4.2.0
Obsoletes: pcp-pmda-nvidia < 3.10.5
Requires: pcp-libs = %{version}-%{release}
%global _confdir %{_sysconfdir}/pcp
%global _logsdir %{_localstatedir}/log/pcp
%global _pmnsdir %{_localstatedir}/lib/pcp/pmns
@ -2250,7 +2251,6 @@ updated policy package.
%prep
%setup -q
%patch000 -p1
%patch001 -p1
%build
# fix up build version
@ -2448,7 +2448,7 @@ basic_manifest | keep '(etc/pcp|pmdas)/memcache(/|$)' >pcp-pmda-memcache-files
basic_manifest | keep '(etc/pcp|pmdas)/mailq(/|$)' >pcp-pmda-mailq-files
basic_manifest | keep '(etc/pcp|pmdas)/mic(/|$)' >pcp-pmda-mic-files
basic_manifest | keep '(etc/pcp|pmdas)/mounts(/|$)' >pcp-pmda-mounts-files
basic_manifest | keep '(etc/pcp|pmdas)/mssql(/|$)' >pcp-pmda-mssql-files
basic_manifest | keep '(etc/pcp|pmdas|pmieconf)/mssql(/|$)' >pcp-pmda-mssql-files
basic_manifest | keep '(etc/pcp|pmdas)/mysql(/|$)' >pcp-pmda-mysql-files
basic_manifest | keep '(etc/pcp|pmdas)/named(/|$)' >pcp-pmda-named-files
basic_manifest | keep '(etc/pcp|pmdas)/netfilter(/|$)' >pcp-pmda-netfilter-files
@ -2563,6 +2563,9 @@ $1 == "d" {
if (match ($5, "'$PCP_RUN_DIR'")) {
printf ("%%%%ghost ") >> f;
}
if (match ($5, "'$PCP_VAR_DIR'/testsuite")) {
$3 = $4 = "pcpqa";
}
printf ("%%%%dir %%%%attr(%s,%s,%s) %s\n", $2, $3, $4, $5) >> f
}
$1 == "f" && $6 ~ "etc/pcp\\.conf" { printf ("%%%%config ") >> f; }
@ -2575,6 +2578,9 @@ $1 == "f" {
break;
}
}
if (match ($6, "'$PCP_VAR_DIR'/testsuite")) {
$3 = $4 = "pcpqa";
}
if (match ($6, "'$PCP_MAN_DIR'") || match ($6, "'$PCP_DOC_DIR'")) {
printf ("%%%%doc ") >> f;
}
@ -2991,11 +2997,6 @@ pmieconf -c enable dmthin
%post
PCP_PMNS_DIR=%{_pmnsdir}
PCP_LOG_DIR=%{_logsdir}
chown -R pcp:pcp %{_logsdir}/pmcd 2>/dev/null
chown -R pcp:pcp %{_logsdir}/pmlogger 2>/dev/null
chown -R pcp:pcp %{_logsdir}/sa 2>/dev/null
chown -R pcp:pcp %{_logsdir}/pmie 2>/dev/null
chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null
%{install_file "$PCP_PMNS_DIR" .NeedRebuild}
%{install_file "$PCP_LOG_DIR/pmlogger" .NeedRewrite}
%if !%{disable_systemd}
@ -3059,7 +3060,6 @@ chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null
%endif
%files testsuite -f pcp-testsuite-files.rpm
%defattr(-,pcpqa,pcpqa)
%if !%{disable_infiniband}
%files pmda-infiniband -f pcp-pmda-infiniband-files.rpm
@ -3312,6 +3312,11 @@ chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null
%files zeroconf -f pcp-zeroconf-files.rpm
%changelog
* Thu May 06 2021 Nathan Scott <nathans@redhat.com> - 5.3.0-1
- Added conditional lockdown policy access by pmdakvm (BZ 1940971)
- Added spec file dependency on cyrus-sasl-scram (BZ 1942879)
- Update to latest PCP sources (BZ 1957575).
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.2.5-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

205
redhat-bugzilla-1926756.patch
View File

@ -1,205 +0,0 @@
commit d7679bd7cbb94692250a450bccf9f01cb982467f
Author: Mark Goodwin <mgoodwin@redhat.com>
Date: Fri Feb 12 10:12:59 2021 +1100
selinux, qa: allow pmcd to use netlink_tcpdiag_socket for sockets PMDA
Add SELinux rules allowing pmcd to create, setopt, bind, getattr and
nlmsg_read to netlink tcpdiag sockets. Needed by pmdasockets.
Update qa/1622 and 917.
Resolves: RHBZ#1926756
diff --git a/qa/1622 b/qa/1622
index 83f260d6d..f62b5f89a 100755
--- a/qa/1622
+++ b/qa/1622
@@ -216,6 +216,11 @@ type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY co
type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0
type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
+type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
EOF
echo "Silence is golden ... all AVC's are allowed by active policy"
diff --git a/qa/917.out.in b/qa/917.out.in
index 69c3b2d12..ddec57f9c 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -125,6 +125,7 @@ Checking policies.
allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans };
allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read };
allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans };
+ allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt };
allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };
allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read };
allow [pcp_pmie_t] [etc_t] : [dir] { open read search getattr lock ioctl };
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
index 30b67d907..cbfa34c14 100644
--- a/src/selinux/GNUlocaldefs
+++ b/src/selinux/GNUlocaldefs
@@ -118,5 +118,7 @@ endif
ifeq "$(PCP_SELINUX_NETLINK_GENERIC_SOCKET_CLASS)" "true"
PCP_NETLINK_GENERIC_SOCKET_CLASS="class netlink_generic_socket { bind create getattr setopt write read };"
+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { bind create getattr setopt write read };"
+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };"
endif
diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
index e16859d7e..d04644fcb 100644
--- a/src/selinux/GNUmakefile
+++ b/src/selinux/GNUmakefile
@@ -80,6 +80,8 @@ $(IAM).te: $(IAM).te.in
-e 's+@PCP_ICMP_SOCKET_RULE@+'$(PCP_ICMP_SOCKET_RULE)'+' \
-e 's+@PCP_NETLINK_GENERIC_SOCKET_CLASS@+'$(PCP_NETLINK_GENERIC_SOCKET_CLASS)'+' \
-e 's+@PCP_NETLINK_GENERIC_SOCKET_RULE@+'$(PCP_NETLINK_GENERIC_SOCKET_RULE)'+' \
+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_CLASS@+'$(PCP_NETLINK_TCPDIAG_SOCKET_CLASS)'+' \
+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@+'$(PCP_NETLINK_TCPDIAG_SOCKET_RULE)'+' \
-e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \
-e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 36a043be1..d935aee36 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -90,6 +90,7 @@ require {
@PCP_BPF_CLASS@
class system { module_request };
@PCP_NETLINK_GENERIC_SOCKET_CLASS@
+ @PCP_NETLINK_TCPDIAG_SOCKET_CLASS@
}
#============= init_t ==============
@@ -423,3 +424,11 @@ allow pcp_pmcd_t drbd_exec_t:file { execute execute_no_trans };
# pmda-hacluster requirements for checking sbd
# type=AVC msg=audit(XXX.81): avc: denied { execute_no_trans } for pid=421434 comm="sh" path="/usr/sbin/sbd" dev="vda1" ino=1050019 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sbd_exec_t:s0 tclass=file permissive=1
@PCP_SBD_EXEC_RULE@
+
+#=========== pmda-sockets ============
+# type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+# type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+# type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+# type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+# type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1
+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@
commit a49772607d80b25b2ae4b8764be709bb27d7e16f
Author: Mark Goodwin <mgoodwin@redhat.com>
Date: Fri Feb 12 10:09:23 2021 +1100
pmdasockets: minor changes to Install and Remove, add -U username
Specify pmns_name in Install and Remove scripts since the pmda name
differs to the namespace. Add -U username for optional use when run
as a daemon.
diff --git a/src/pmdas/linux_sockets/GNUmakefile b/src/pmdas/linux_sockets/GNUmakefile
index 34897f2e9..a32987ef7 100644
--- a/src/pmdas/linux_sockets/GNUmakefile
+++ b/src/pmdas/linux_sockets/GNUmakefile
@@ -31,7 +31,7 @@ HFILES = indom.h cluster.h ss_stats.h
LLDLIBS = $(PCP_PMDALIB)
LCFLAGS = $(INVISIBILITY)
-SCRIPTS = Install Remove
+SCRIPTS = Install Remove Upgrade
VERSION_SCRIPT = exports
LDIRT = domain.h $(VERSION_SCRIPT) $(IAM).log
diff --git a/src/pmdas/linux_sockets/Install b/src/pmdas/linux_sockets/Install
index 4bc934c96..28d7c7f9e 100755
--- a/src/pmdas/linux_sockets/Install
+++ b/src/pmdas/linux_sockets/Install
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/usr/bin/sh
#
# Copyright (c) 2021 Red Hat.
#
@@ -25,6 +25,8 @@ dso_opt=true
pipe_opt=false
daemon_opt=false
+pmns_name=network.persocket # differs to PMDA name
+
which ss >/dev/null 2>&1
if [ $? -ne 0 ]
then
diff --git a/src/pmdas/linux_sockets/Remove b/src/pmdas/linux_sockets/Remove
index 26edc85aa..3fee6a0e6 100755
--- a/src/pmdas/linux_sockets/Remove
+++ b/src/pmdas/linux_sockets/Remove
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/usr/bin/sh
#
# Copyright (c) 2021 Red Hat.
#
@@ -19,6 +19,7 @@
. $PCP_SHARE_DIR/lib/pmdaproc.sh
iam=sockets
+pmns_name=network.persocket # differs to PMDA name
pmdaSetup
pmdaRemove
diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c
index 9bca5d9d0..fab4be290 100644
--- a/src/pmdas/linux_sockets/pmda.c
+++ b/src/pmdas/linux_sockets/pmda.c
@@ -23,6 +23,7 @@
#include "ss_stats.h"
static int _isDSO = 1; /* for local contexts */
+static char *username;
/* metrics supported in this PMDA - see metrictab.c */
extern pmdaMetric metrictable[];
@@ -200,6 +201,8 @@ sockets_init(pmdaInterface *dp)
pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
pmdaDSO(dp, PMDA_INTERFACE_7, "SOCKETS DSO", helppath);
}
+ else
+ pmSetProcessIdentity(username);
if (dp->status != 0)
return;
@@ -227,12 +230,13 @@ static pmLongOptions longopts[] = {
PMOPT_DEBUG,
PMDAOPT_DOMAIN,
PMDAOPT_LOGFILE,
+ PMDAOPT_USERNAME,
PMOPT_HELP,
PMDA_OPTIONS_END
};
static pmdaOptions opts = {
- .short_options = "D:d:l:?",
+ .short_options = "D:d:l:U:?",
.long_options = longopts,
};
@@ -248,6 +252,7 @@ main(int argc, char **argv)
_isDSO = 0;
pmSetProgname(argv[0]);
+ pmGetUsername(&username);
pmsprintf(helppath, sizeof(helppath), "%s%c" "sockets" "%c" "help",
pmGetConfig("PCP_PMDAS_DIR"), sep, sep);
pmdaDaemon(&dispatch, PMDA_INTERFACE_7, pmGetProgname(), SOCKETS, "sockets.log", helppath);
@@ -257,6 +262,8 @@ main(int argc, char **argv)
pmdaUsageMessage(&opts);
exit(1);
}
+ if (opts.username)
+ username = opts.username;
pmdaOpenLog(&dispatch);
sockets_init(&dispatch);

24
redhat-bugzilla-1930284.patch
View File

@ -1,24 +0,0 @@
Revert upstream PCP commit e01ab96c813fa31e685ac864031d145f63162088
diff -Naurp pcp-5.2.5.orig/src/pmie/pmie.service.in pcp-5.2.5/src/pmie/pmie.service.in
--- pcp-5.2.5.orig/src/pmie/pmie.service.in 2021-02-03 09:58:14.000000000 +1100
+++ pcp-5.2.5/src/pmie/pmie.service.in 2021-02-19 10:52:20.786419561 +1100
@@ -4,6 +4,7 @@ Documentation=man:pmie(1)
After=network-online.target pmcd.service
Before=pmie_check.timer pmie_daily.timer
BindsTo=pmie_check.timer pmie_daily.timer
+Wants=pmcd.service
[Service]
Type=notify
diff -Naurp pcp-5.2.5.orig/src/pmlogger/pmlogger.service.in pcp-5.2.5/src/pmlogger/pmlogger.service.in
--- pcp-5.2.5.orig/src/pmlogger/pmlogger.service.in 2021-02-03 09:58:14.000000000 +1100
+++ pcp-5.2.5/src/pmlogger/pmlogger.service.in 2021-02-19 10:52:36.111160100 +1100
@@ -4,6 +4,7 @@ Documentation=man:pmlogger(1)
After=network-online.target pmcd.service
Before=pmlogger_check.timer pmlogger_daily.timer pmlogger_daily-poll.timer
BindsTo=pmlogger_check.timer pmlogger_daily.timer pmlogger_daily-poll.timer
+Wants=pmcd.service
[Service]
Type=notify

96
redhat-bugzilla-1940971.patch Normal file
View File

@ -0,0 +1,96 @@
commit e4523aa66ad9e3381086f2ba8c0e07cfa3661e51
Author: Nathan Scott <nathans@redhat.com>
Date: Fri Apr 30 11:25:56 2021 +1000
selinux: fix detection of lockdown policy class
Resolves Fedora BZ #1929259
diff --git a/configure b/configure
index 12fe8cde5..e6885234a 100755
--- a/configure
+++ b/configure
@@ -732,6 +732,7 @@ pcp_selinux_chkpwd_exec
pcp_selinux_security
pcp_selinux_sudo_exec
pcp_selinux_initrc_tmp
+pcp_selinux_lockdown_class
pcp_selinux_icmp_socket_class
pcp_selinux_cap2_syslog
pcp_selinux_sbd_exec
@@ -11970,6 +11971,10 @@ if test "x$enable_selinux" != "xfalse"; then :
| egrep '^[ ][ ]*(class |)icmp_socket$' >/dev/null \
&& pcp_selinux_icmp_socket_class=true
+ seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
+ | egrep '^[ ][ ]*(class |)lockdown$' >/dev/null \
+ && pcp_selinux_lockdown_class=true
+
seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \
| egrep '^[ ][ ]*(class |)netlink_selinux_socket$' >/dev/null \
@@ -11987,10 +11992,6 @@ if test "x$enable_selinux" != "xfalse"; then :
| egrep '^[ ][ ]*(class |)security$' >/dev/null \
&& pcp_selinux_security_class=true
- seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
- | egrep '^[ ][ ]*(class |)lockdown$' >/dev/null \
- && pcp_selinux_lockdown_class=true
-
seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \
| egrep '^[ ][ ]*(class |)dir$' >/dev/null \
&& pcp_selinux_dir_class=true
@@ -12046,6 +12047,7 @@ fi
+
pcp_selinux_files_mmap_all_files=false
diff --git a/configure.ac b/configure.ac
index aa08ea18f..dcd60b67d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2132,6 +2132,10 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [
| egrep '^[[ ]][[ ]]*(class |)icmp_socket$' >/dev/null \
&& pcp_selinux_icmp_socket_class=true
+ seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
+ | egrep '^[[ ]][[ ]]*(class |)lockdown$' >/dev/null \
+ && pcp_selinux_lockdown_class=true
+
dnl these ones are for pcpqa.te
seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \
@@ -2150,10 +2154,6 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [
| egrep '^[[ ]][[ ]]*(class |)security$' >/dev/null \
&& pcp_selinux_security_class=true
- seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
- | egrep '^[[ ]][[ ]]*(class |)lockdown$' >/dev/null \
- && pcp_selinux_lockdown_class=true
-
dnl pcp_selinux_dir already used for something else, so name to
dnl set is pcp_selinux_dir_class
seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \
@@ -2192,6 +2192,7 @@ AC_SUBST(pcp_selinux_proc_security)
AC_SUBST(pcp_selinux_sbd_exec)
AC_SUBST(pcp_selinux_cap2_syslog)
AC_SUBST(pcp_selinux_icmp_socket_class)
+AC_SUBST(pcp_selinux_lockdown_class)
dnl for pcpqa.te
AC_SUBST(pcp_selinux_initrc_tmp)
diff --git a/src/include/builddefs.in b/src/include/builddefs.in
index 93038f446..126fab4d3 100644
--- a/src/include/builddefs.in
+++ b/src/include/builddefs.in
@@ -282,7 +282,6 @@ PCP_SELINUX_SBD_EXEC = @pcp_selinux_sbd_exec@
PCP_SELINUX_FILES_MMAP_ALL_FILES = @pcp_selinux_files_mmap_all_files@
PCP_SELINUX_CAP2_SYSLOG = @pcp_selinux_cap2_syslog@
PCP_SELINUX_ICMP_SOCKET_CLASS = @pcp_selinux_icmp_socket_class@
-PCP_SELINUX_LOCKDOWN = @pcp_selinux_lockdown@
PCP_SELINUX_LOCKDOWN_CLASS = @pcp_selinux_lockdown_class@
# pcpqa.te
PCP_SELINUX_INITRC_TMP = @pcp_selinux_initrc_tmp@

2
sources
View File

@ -1 +1 @@
SHA512 (pcp-5.2.5.src.tar.gz) = c1280214b7783b0dcbe354c2a7da47819a4b0c9f16a262c1bb0c279d79bf2d80f0000efd56d5855479286c0179d81e022a94b8ea91fd2e61302d514914db90e5
SHA512 (pcp-5.3.0.src.tar.gz) = d3f61315adb7d112357736537941690f4ceb11cd6158accb8973af542ca673bdc5ed7281d93b0bf88f6af01cc85d2e075261123576dae370c036ff8d493d8b1c