From cca1c17b35325422b7e0fb40d614cef178c2cc6b Mon Sep 17 00:00:00 2001 From: Nathan Scott Date: Thu, 6 May 2021 15:15:30 +1000 Subject: [PATCH] Update 9.0-beta to pcp-5.3.0 with selinux and a spec patch. Resolves: rhbz#1957575 Resolves: rhbz#1940971 Resolves: rhbz#1942879 --- pcp.spec | 59 +++++----- redhat-bugzilla-1926756.patch | 205 ---------------------------------- redhat-bugzilla-1930284.patch | 24 ---- redhat-bugzilla-1940971.patch | 96 ++++++++++++++++ sources | 2 +- 5 files changed, 129 insertions(+), 257 deletions(-) delete mode 100644 redhat-bugzilla-1926756.patch delete mode 100644 redhat-bugzilla-1930284.patch create mode 100644 redhat-bugzilla-1940971.patch diff --git a/pcp.spec b/pcp.spec index cb046e8..817ffd7 100644 --- a/pcp.spec +++ b/pcp.spec @@ -1,15 +1,14 @@ Name: pcp -Version: 5.2.5 -Release: 5%{?dist} +Version: 5.3.0 +Release: 1%{?dist} Summary: System-level performance monitoring and performance management License: GPLv2+ and LGPLv2+ and CC-BY URL: https://pcp.io -%global bintray https://bintray.com/artifact/download -Source0: %{bintray}/pcp/source/pcp-%{version}.src.tar.gz +%global artifactory https://performancecopilot.jfrog.io/artifactory +Source0: %{artifactory}/pcp-source-release/pcp-%{version}.src.tar.gz -Patch000: redhat-bugzilla-1926756.patch -Patch001: redhat-bugzilla-1930284.patch +Patch000: redhat-bugzilla-1940971.patch %if 0%{?fedora} >= 26 || 0%{?rhel} > 7 %global __python2 python2 @@ -211,6 +210,16 @@ Provides: pcp-webapi = %{version}-%{release} Obsoletes: pcp-manager-debuginfo < 5.2.0 Obsoletes: pcp-manager < 5.2.0 +# Some older releases did not update or replace pcp-gui-debuginfo properly +%if 0%{?fedora} < 27 && 0%{?rhel} <= 7 && "%{_vendor}" == "redhat" +Obsoletes: pcp-gui-debuginfo < 4.1.1 +%endif + +Obsoletes: pcp-compat < 4.2.0 +Obsoletes: pcp-monitor < 4.2.0 +Obsoletes: pcp-collector < 4.2.0 +Obsoletes: pcp-pmda-nvidia < 3.10.5 + # https://fedoraproject.org/wiki/Packaging "C and C++" BuildRequires: make BuildRequires: gcc gcc-c++ @@ -261,7 +270,8 @@ BuildRequires: perl-generators %endif BuildRequires: perl-devel perl(strict) BuildRequires: perl(ExtUtils::MakeMaker) perl(LWP::UserAgent) perl(JSON) -BuildRequires: perl(LWP::UserAgent) perl(Time::HiRes) perl(Digest::MD5) +BuildRequires: perl(Time::HiRes) perl(Digest::MD5) +BuildRequires: perl(XML::LibXML) perl(File::Slurp) BuildRequires: man %{_hostname_executable} %if !%{disable_systemd} BuildRequires: systemd-devel systemd-rpm-macros @@ -277,23 +287,14 @@ BuildRequires: qt5-qtsvg-devel %endif Requires: bash xz gawk sed grep findutils which %{_hostname_executable} +%if 0%{?rhel} > 8 +Requires: cyrus-sasl-scram +%endif Requires: pcp-libs = %{version}-%{release} %if !%{disable_selinux} Requires: pcp-selinux = %{version}-%{release} %endif -# Some older releases did not update or replace pcp-gui-debuginfo properly -%if 0%{?fedora} < 27 && 0%{?rhel} <= 7 && "%{_vendor}" == "redhat" -Obsoletes: pcp-gui-debuginfo < 4.1.1 -%endif - -Obsoletes: pcp-compat < 4.2.0 -Obsoletes: pcp-monitor < 4.2.0 -Obsoletes: pcp-collector < 4.2.0 -Obsoletes: pcp-pmda-nvidia < 3.10.5 - -Requires: pcp-libs = %{version}-%{release} - %global _confdir %{_sysconfdir}/pcp %global _logsdir %{_localstatedir}/log/pcp %global _pmnsdir %{_localstatedir}/lib/pcp/pmns @@ -2250,7 +2251,6 @@ updated policy package. %prep %setup -q %patch000 -p1 -%patch001 -p1 %build # fix up build version @@ -2448,7 +2448,7 @@ basic_manifest | keep '(etc/pcp|pmdas)/memcache(/|$)' >pcp-pmda-memcache-files basic_manifest | keep '(etc/pcp|pmdas)/mailq(/|$)' >pcp-pmda-mailq-files basic_manifest | keep '(etc/pcp|pmdas)/mic(/|$)' >pcp-pmda-mic-files basic_manifest | keep '(etc/pcp|pmdas)/mounts(/|$)' >pcp-pmda-mounts-files -basic_manifest | keep '(etc/pcp|pmdas)/mssql(/|$)' >pcp-pmda-mssql-files +basic_manifest | keep '(etc/pcp|pmdas|pmieconf)/mssql(/|$)' >pcp-pmda-mssql-files basic_manifest | keep '(etc/pcp|pmdas)/mysql(/|$)' >pcp-pmda-mysql-files basic_manifest | keep '(etc/pcp|pmdas)/named(/|$)' >pcp-pmda-named-files basic_manifest | keep '(etc/pcp|pmdas)/netfilter(/|$)' >pcp-pmda-netfilter-files @@ -2563,6 +2563,9 @@ $1 == "d" { if (match ($5, "'$PCP_RUN_DIR'")) { printf ("%%%%ghost ") >> f; } + if (match ($5, "'$PCP_VAR_DIR'/testsuite")) { + $3 = $4 = "pcpqa"; + } printf ("%%%%dir %%%%attr(%s,%s,%s) %s\n", $2, $3, $4, $5) >> f } $1 == "f" && $6 ~ "etc/pcp\\.conf" { printf ("%%%%config ") >> f; } @@ -2575,6 +2578,9 @@ $1 == "f" { break; } } + if (match ($6, "'$PCP_VAR_DIR'/testsuite")) { + $3 = $4 = "pcpqa"; + } if (match ($6, "'$PCP_MAN_DIR'") || match ($6, "'$PCP_DOC_DIR'")) { printf ("%%%%doc ") >> f; } @@ -2991,11 +2997,6 @@ pmieconf -c enable dmthin %post PCP_PMNS_DIR=%{_pmnsdir} PCP_LOG_DIR=%{_logsdir} -chown -R pcp:pcp %{_logsdir}/pmcd 2>/dev/null -chown -R pcp:pcp %{_logsdir}/pmlogger 2>/dev/null -chown -R pcp:pcp %{_logsdir}/sa 2>/dev/null -chown -R pcp:pcp %{_logsdir}/pmie 2>/dev/null -chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null %{install_file "$PCP_PMNS_DIR" .NeedRebuild} %{install_file "$PCP_LOG_DIR/pmlogger" .NeedRewrite} %if !%{disable_systemd} @@ -3059,7 +3060,6 @@ chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null %endif %files testsuite -f pcp-testsuite-files.rpm -%defattr(-,pcpqa,pcpqa) %if !%{disable_infiniband} %files pmda-infiniband -f pcp-pmda-infiniband-files.rpm @@ -3312,6 +3312,11 @@ chown -R pcp:pcp %{_logsdir}/pmproxy 2>/dev/null %files zeroconf -f pcp-zeroconf-files.rpm %changelog +* Thu May 06 2021 Nathan Scott - 5.3.0-1 +- Added conditional lockdown policy access by pmdakvm (BZ 1940971) +- Added spec file dependency on cyrus-sasl-scram (BZ 1942879) +- Update to latest PCP sources (BZ 1957575). + * Fri Apr 16 2021 Mohan Boddu - 5.2.5-5 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 diff --git a/redhat-bugzilla-1926756.patch b/redhat-bugzilla-1926756.patch deleted file mode 100644 index 779923d..0000000 --- a/redhat-bugzilla-1926756.patch +++ /dev/null @@ -1,205 +0,0 @@ -commit d7679bd7cbb94692250a450bccf9f01cb982467f -Author: Mark Goodwin -Date: Fri Feb 12 10:12:59 2021 +1100 - - selinux, qa: allow pmcd to use netlink_tcpdiag_socket for sockets PMDA - - Add SELinux rules allowing pmcd to create, setopt, bind, getattr and - nlmsg_read to netlink tcpdiag sockets. Needed by pmdasockets. - - Update qa/1622 and 917. - - Resolves: RHBZ#1926756 - -diff --git a/qa/1622 b/qa/1622 -index 83f260d6d..f62b5f89a 100755 ---- a/qa/1622 -+++ b/qa/1622 -@@ -216,6 +216,11 @@ type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY co - type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0 - type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0 - type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 -+type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 - EOF - - echo "Silence is golden ... all AVC's are allowed by active policy" -diff --git a/qa/917.out.in b/qa/917.out.in -index 69c3b2d12..ddec57f9c 100644 ---- a/qa/917.out.in -+++ b/qa/917.out.in -@@ -125,6 +125,7 @@ Checking policies. - allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans }; - allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read }; - allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans }; -+ allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt }; - allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; - allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read }; - allow [pcp_pmie_t] [etc_t] : [dir] { open read search getattr lock ioctl }; -diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs -index 30b67d907..cbfa34c14 100644 ---- a/src/selinux/GNUlocaldefs -+++ b/src/selinux/GNUlocaldefs -@@ -118,5 +118,7 @@ endif - - ifeq "$(PCP_SELINUX_NETLINK_GENERIC_SOCKET_CLASS)" "true" - PCP_NETLINK_GENERIC_SOCKET_CLASS="class netlink_generic_socket { bind create getattr setopt write read };" -+PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" - PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { bind create getattr setopt write read };" -+PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" - endif -diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile -index e16859d7e..d04644fcb 100644 ---- a/src/selinux/GNUmakefile -+++ b/src/selinux/GNUmakefile -@@ -80,6 +80,8 @@ $(IAM).te: $(IAM).te.in - -e 's+@PCP_ICMP_SOCKET_RULE@+'$(PCP_ICMP_SOCKET_RULE)'+' \ - -e 's+@PCP_NETLINK_GENERIC_SOCKET_CLASS@+'$(PCP_NETLINK_GENERIC_SOCKET_CLASS)'+' \ - -e 's+@PCP_NETLINK_GENERIC_SOCKET_RULE@+'$(PCP_NETLINK_GENERIC_SOCKET_RULE)'+' \ -+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_CLASS@+'$(PCP_NETLINK_TCPDIAG_SOCKET_CLASS)'+' \ -+ -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@+'$(PCP_NETLINK_TCPDIAG_SOCKET_RULE)'+' \ - -e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \ - -e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \ - -diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in -index 36a043be1..d935aee36 100644 ---- a/src/selinux/pcpupstream.te.in -+++ b/src/selinux/pcpupstream.te.in -@@ -90,6 +90,7 @@ require { - @PCP_BPF_CLASS@ - class system { module_request }; - @PCP_NETLINK_GENERIC_SOCKET_CLASS@ -+ @PCP_NETLINK_TCPDIAG_SOCKET_CLASS@ - } - - #============= init_t ============== -@@ -423,3 +424,11 @@ allow pcp_pmcd_t drbd_exec_t:file { execute execute_no_trans }; - # pmda-hacluster requirements for checking sbd - # type=AVC msg=audit(XXX.81): avc: denied { execute_no_trans } for pid=421434 comm="sh" path="/usr/sbin/sbd" dev="vda1" ino=1050019 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sbd_exec_t:s0 tclass=file permissive=1 - @PCP_SBD_EXEC_RULE@ -+ -+#=========== pmda-sockets ============ -+# type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+# type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+# type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+# type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+# type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 -+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@ - -commit a49772607d80b25b2ae4b8764be709bb27d7e16f -Author: Mark Goodwin -Date: Fri Feb 12 10:09:23 2021 +1100 - - pmdasockets: minor changes to Install and Remove, add -U username - - Specify pmns_name in Install and Remove scripts since the pmda name - differs to the namespace. Add -U username for optional use when run - as a daemon. - -diff --git a/src/pmdas/linux_sockets/GNUmakefile b/src/pmdas/linux_sockets/GNUmakefile -index 34897f2e9..a32987ef7 100644 ---- a/src/pmdas/linux_sockets/GNUmakefile -+++ b/src/pmdas/linux_sockets/GNUmakefile -@@ -31,7 +31,7 @@ HFILES = indom.h cluster.h ss_stats.h - LLDLIBS = $(PCP_PMDALIB) - LCFLAGS = $(INVISIBILITY) - --SCRIPTS = Install Remove -+SCRIPTS = Install Remove Upgrade - VERSION_SCRIPT = exports - LDIRT = domain.h $(VERSION_SCRIPT) $(IAM).log - -diff --git a/src/pmdas/linux_sockets/Install b/src/pmdas/linux_sockets/Install -index 4bc934c96..28d7c7f9e 100755 ---- a/src/pmdas/linux_sockets/Install -+++ b/src/pmdas/linux_sockets/Install -@@ -1,4 +1,4 @@ --#! /bin/sh -+#!/usr/bin/sh - # - # Copyright (c) 2021 Red Hat. - # -@@ -25,6 +25,8 @@ dso_opt=true - pipe_opt=false - daemon_opt=false - -+pmns_name=network.persocket # differs to PMDA name -+ - which ss >/dev/null 2>&1 - if [ $? -ne 0 ] - then -diff --git a/src/pmdas/linux_sockets/Remove b/src/pmdas/linux_sockets/Remove -index 26edc85aa..3fee6a0e6 100755 ---- a/src/pmdas/linux_sockets/Remove -+++ b/src/pmdas/linux_sockets/Remove -@@ -1,4 +1,4 @@ --#! /bin/sh -+#!/usr/bin/sh - # - # Copyright (c) 2021 Red Hat. - # -@@ -19,6 +19,7 @@ - . $PCP_SHARE_DIR/lib/pmdaproc.sh - - iam=sockets -+pmns_name=network.persocket # differs to PMDA name - - pmdaSetup - pmdaRemove -diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c -index 9bca5d9d0..fab4be290 100644 ---- a/src/pmdas/linux_sockets/pmda.c -+++ b/src/pmdas/linux_sockets/pmda.c -@@ -23,6 +23,7 @@ - #include "ss_stats.h" - - static int _isDSO = 1; /* for local contexts */ -+static char *username; - - /* metrics supported in this PMDA - see metrictab.c */ - extern pmdaMetric metrictable[]; -@@ -200,6 +201,8 @@ sockets_init(pmdaInterface *dp) - pmGetConfig("PCP_PMDAS_DIR"), sep, sep); - pmdaDSO(dp, PMDA_INTERFACE_7, "SOCKETS DSO", helppath); - } -+ else -+ pmSetProcessIdentity(username); - - if (dp->status != 0) - return; -@@ -227,12 +230,13 @@ static pmLongOptions longopts[] = { - PMOPT_DEBUG, - PMDAOPT_DOMAIN, - PMDAOPT_LOGFILE, -+ PMDAOPT_USERNAME, - PMOPT_HELP, - PMDA_OPTIONS_END - }; - - static pmdaOptions opts = { -- .short_options = "D:d:l:?", -+ .short_options = "D:d:l:U:?", - .long_options = longopts, - }; - -@@ -248,6 +252,7 @@ main(int argc, char **argv) - - _isDSO = 0; - pmSetProgname(argv[0]); -+ pmGetUsername(&username); - pmsprintf(helppath, sizeof(helppath), "%s%c" "sockets" "%c" "help", - pmGetConfig("PCP_PMDAS_DIR"), sep, sep); - pmdaDaemon(&dispatch, PMDA_INTERFACE_7, pmGetProgname(), SOCKETS, "sockets.log", helppath); -@@ -257,6 +262,8 @@ main(int argc, char **argv) - pmdaUsageMessage(&opts); - exit(1); - } -+ if (opts.username) -+ username = opts.username; - - pmdaOpenLog(&dispatch); - sockets_init(&dispatch); - diff --git a/redhat-bugzilla-1930284.patch b/redhat-bugzilla-1930284.patch deleted file mode 100644 index 4b08e71..0000000 --- a/redhat-bugzilla-1930284.patch +++ /dev/null @@ -1,24 +0,0 @@ -Revert upstream PCP commit e01ab96c813fa31e685ac864031d145f63162088 - -diff -Naurp pcp-5.2.5.orig/src/pmie/pmie.service.in pcp-5.2.5/src/pmie/pmie.service.in ---- pcp-5.2.5.orig/src/pmie/pmie.service.in 2021-02-03 09:58:14.000000000 +1100 -+++ pcp-5.2.5/src/pmie/pmie.service.in 2021-02-19 10:52:20.786419561 +1100 -@@ -4,6 +4,7 @@ Documentation=man:pmie(1) - After=network-online.target pmcd.service - Before=pmie_check.timer pmie_daily.timer - BindsTo=pmie_check.timer pmie_daily.timer -+Wants=pmcd.service - - [Service] - Type=notify -diff -Naurp pcp-5.2.5.orig/src/pmlogger/pmlogger.service.in pcp-5.2.5/src/pmlogger/pmlogger.service.in ---- pcp-5.2.5.orig/src/pmlogger/pmlogger.service.in 2021-02-03 09:58:14.000000000 +1100 -+++ pcp-5.2.5/src/pmlogger/pmlogger.service.in 2021-02-19 10:52:36.111160100 +1100 -@@ -4,6 +4,7 @@ Documentation=man:pmlogger(1) - After=network-online.target pmcd.service - Before=pmlogger_check.timer pmlogger_daily.timer pmlogger_daily-poll.timer - BindsTo=pmlogger_check.timer pmlogger_daily.timer pmlogger_daily-poll.timer -+Wants=pmcd.service - - [Service] - Type=notify diff --git a/redhat-bugzilla-1940971.patch b/redhat-bugzilla-1940971.patch new file mode 100644 index 0000000..974063d --- /dev/null +++ b/redhat-bugzilla-1940971.patch @@ -0,0 +1,96 @@ +commit e4523aa66ad9e3381086f2ba8c0e07cfa3661e51 +Author: Nathan Scott +Date: Fri Apr 30 11:25:56 2021 +1000 + + selinux: fix detection of lockdown policy class + + Resolves Fedora BZ #1929259 + +diff --git a/configure b/configure +index 12fe8cde5..e6885234a 100755 +--- a/configure ++++ b/configure +@@ -732,6 +732,7 @@ pcp_selinux_chkpwd_exec + pcp_selinux_security + pcp_selinux_sudo_exec + pcp_selinux_initrc_tmp ++pcp_selinux_lockdown_class + pcp_selinux_icmp_socket_class + pcp_selinux_cap2_syslog + pcp_selinux_sbd_exec +@@ -11970,6 +11971,10 @@ if test "x$enable_selinux" != "xfalse"; then : + | egrep '^[ ][ ]*(class |)icmp_socket$' >/dev/null \ + && pcp_selinux_icmp_socket_class=true + ++ seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \ ++ | egrep '^[ ][ ]*(class |)lockdown$' >/dev/null \ ++ && pcp_selinux_lockdown_class=true ++ + + seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \ + | egrep '^[ ][ ]*(class |)netlink_selinux_socket$' >/dev/null \ +@@ -11987,10 +11992,6 @@ if test "x$enable_selinux" != "xfalse"; then : + | egrep '^[ ][ ]*(class |)security$' >/dev/null \ + && pcp_selinux_security_class=true + +- seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \ +- | egrep '^[ ][ ]*(class |)lockdown$' >/dev/null \ +- && pcp_selinux_lockdown_class=true +- + seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \ + | egrep '^[ ][ ]*(class |)dir$' >/dev/null \ + && pcp_selinux_dir_class=true +@@ -12046,6 +12047,7 @@ fi + + + ++ + + + pcp_selinux_files_mmap_all_files=false +diff --git a/configure.ac b/configure.ac +index aa08ea18f..dcd60b67d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2132,6 +2132,10 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [ + | egrep '^[[ ]][[ ]]*(class |)icmp_socket$' >/dev/null \ + && pcp_selinux_icmp_socket_class=true + ++ seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \ ++ | egrep '^[[ ]][[ ]]*(class |)lockdown$' >/dev/null \ ++ && pcp_selinux_lockdown_class=true ++ + dnl these ones are for pcpqa.te + + seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \ +@@ -2150,10 +2154,6 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [ + | egrep '^[[ ]][[ ]]*(class |)security$' >/dev/null \ + && pcp_selinux_security_class=true + +- seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \ +- | egrep '^[[ ]][[ ]]*(class |)lockdown$' >/dev/null \ +- && pcp_selinux_lockdown_class=true +- + dnl pcp_selinux_dir already used for something else, so name to + dnl set is pcp_selinux_dir_class + seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \ +@@ -2192,6 +2192,7 @@ AC_SUBST(pcp_selinux_proc_security) + AC_SUBST(pcp_selinux_sbd_exec) + AC_SUBST(pcp_selinux_cap2_syslog) + AC_SUBST(pcp_selinux_icmp_socket_class) ++AC_SUBST(pcp_selinux_lockdown_class) + + dnl for pcpqa.te + AC_SUBST(pcp_selinux_initrc_tmp) +diff --git a/src/include/builddefs.in b/src/include/builddefs.in +index 93038f446..126fab4d3 100644 +--- a/src/include/builddefs.in ++++ b/src/include/builddefs.in +@@ -282,7 +282,6 @@ PCP_SELINUX_SBD_EXEC = @pcp_selinux_sbd_exec@ + PCP_SELINUX_FILES_MMAP_ALL_FILES = @pcp_selinux_files_mmap_all_files@ + PCP_SELINUX_CAP2_SYSLOG = @pcp_selinux_cap2_syslog@ + PCP_SELINUX_ICMP_SOCKET_CLASS = @pcp_selinux_icmp_socket_class@ +-PCP_SELINUX_LOCKDOWN = @pcp_selinux_lockdown@ + PCP_SELINUX_LOCKDOWN_CLASS = @pcp_selinux_lockdown_class@ + # pcpqa.te + PCP_SELINUX_INITRC_TMP = @pcp_selinux_initrc_tmp@ diff --git a/sources b/sources index ac3446f..7714851 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (pcp-5.2.5.src.tar.gz) = c1280214b7783b0dcbe354c2a7da47819a4b0c9f16a262c1bb0c279d79bf2d80f0000efd56d5855479286c0179d81e022a94b8ea91fd2e61302d514914db90e5 +SHA512 (pcp-5.3.0.src.tar.gz) = d3f61315adb7d112357736537941690f4ceb11cd6158accb8973af542ca673bdc5ed7281d93b0bf88f6af01cc85d2e075261123576dae370c036ff8d493d8b1c