import pcp-5.3.7-9.el8

2022-09-23 16:17:11 +00:00 · 2022-09-23 16:17:11 +00:00 · e4670d620f
parent f4a2603942
commit e4670d620f
4 changed files with 316 additions and 1 deletions
--- a/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch
+++ b/SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch
@ -0,0 +1,66 @@
+From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001
+From: Andreas Gerstmayr <agerstmayr@redhat.com>
+Date: Fri, 13 May 2022 13:47:50 +0200
+Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects
+ created by ctypes/libffi (#1593)
+
+Resolves the following AVC:
+
+    type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094
+---
+ qa/1622                       | 1 +
+ qa/917.out.in                 | 1 +
+ src/selinux/pcpupstream.te.in | 7 +++++++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/qa/1622 b/qa/1622
+index be7987e225..03ecc4eb42 100755
+--- a/qa/1622
+++ b/qa/1622
+@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc:  denied  { execute } for  pid=8656 comm="sh" na
+ type=AVC msg=audit(YYY.25): avc:  denied  { read } for  pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(YYY.26): avc:  denied  { open } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(YYY.27): avc:  denied  { execute_no_trans } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(YYY.28): avc:  denied  { mount } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
+ # matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22
+ #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
+diff --git a/qa/917.out.in b/qa/917.out.in
+index 3bd1dc15e0..8b92c0c5ff 100644
+--- a/qa/917.out.in
+++ b/qa/917.out.in
+@@ -40,6 +40,7 @@ Checking policies.
+   allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
+ ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
+   allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
+  allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read };
+ ! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
+ ! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
+ ! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
+diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
+index 673b178413..2c15c61ba3 100644
+--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
+@@ -39,6 +39,7 @@ require {
+ 	type pcp_pmlogger_t;
+ 	type pcp_pmproxy_t;
+ 	type pcp_tmp_t;
+	type pcp_tmpfs_t;
+ 	type pcp_var_lib_t;
+ 	type ping_exec_t; # pmda.netcheck
+ 	type postgresql_var_run_t;
+@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
+ #type=AVC msg=audit(YYY.27): avc:  denied  { execute_no_trans } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+ allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };
+ 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2050094
+#type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
+# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file)
+# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019
+can_exec(pcp_pmcd_t, pcp_tmpfs_t)
+
+ # pmda.perfevent
+ #type=AVC msg=audit(YYY.28): avc:  denied  { mount } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
+ #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
--- a/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch
+++ b/SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch
@ -0,0 +1,135 @@
+commit 55e8c83ee5920ab30644f54f7a525255b1de4b84
+Author: Nathan Scott <nathans@redhat.com>
+Date:   Mon Aug 29 14:25:03 2022 +1000
+
+    docs: describe working sudoers configuration with requiretty
+    
+    When /etc/sudoers is configured with 'Defaults requiretty',
+    pmlogctl cannot invoke pmlogger_check in the normal fashion.
+    Symptoms of the problem are the following system log message:
+    
+    pmlogctl[PID]: sudo: sorry, you must have a tty to run sudo
+    
+    pmiectl and pmie_check are similarly affected.  The simplest
+    solution is to add an additional configuration line excluding
+    these commands from requiring a tty; this is the approach now
+    documented.
+    
+    Note these PCP commands are not interactive (require no tty)
+    and the unprivileged 'pcp' account uses nologin(8) as a shell
+    anyway, so requiretty offers no advantages here.  Note also
+    there's debate about whether requiretty is a useful security
+    measure in general as it can be trivially bypassed; further
+    details: https://bugzilla.redhat.com/show_bug.cgi?id=1020147
+    
+    Resolves Red Hat BZ #2093751
+
+diff -Naurp pcp-5.3.7.orig/man/man1/pmie_check.1 pcp-5.3.7/man/man1/pmie_check.1
+--- pcp-5.3.7.orig/man/man1/pmie_check.1	2021-11-04 08:26:15.000000000 +1100
+++ pcp-5.3.7/man/man1/pmie_check.1	2022-08-31 11:17:52.362276530 +1000
+@@ -406,6 +406,42 @@ no
+ entries are needed as the timer mechanism provided by
+ .B systemd
+ is used instead.
+.PP
+The
+.BR pmiectl (1)
+utility may invoke
+.B pmie_check
+using the
+.BR sudo (1)
+command to run it under the $PCP_USER ``pcp'' account.
+If
+.B sudo
+is configured with the non-default
+.I requiretty
+option (see below),
+.B pmie_check
+may fail to run due to not having a tty configured.
+This issue can be resolved by adding a second line
+(expand $PCP_BINADM_DIR according to your platform)
+to the
+.I /etc/sudoers
+configuration file as follows:
+.P
+.ft CW
+.nf
+.in +0.5i
+Defaults requiretty
+Defaults!$PCP_BINADM_DIR/pmie_check !requiretty
+.in
+.fi
+.ft 1
+.P
+Note that the unprivileged PCP account under which these
+commands run uses
+.I /sbin/nologin
+as the shell, so the
+.I requiretty
+option is ineffective here and safe to disable in this way.
+ .SH FILES
+ .TP 5
+ .I $PCP_PMIECONTROL_PATH
+diff -Naurp pcp-5.3.7.orig/man/man1/pmlogger_check.1 pcp-5.3.7/man/man1/pmlogger_check.1
+--- pcp-5.3.7.orig/man/man1/pmlogger_check.1	2022-04-05 09:05:43.000000000 +1000
+++ pcp-5.3.7/man/man1/pmlogger_check.1	2022-08-31 11:20:52.470086724 +1000
+@@ -830,6 +830,42 @@ no
+ entries are needed as the timer mechanism provided by
+ .B systemd
+ is used instead.
+.PP
+The
+.BR pmlogctl (1)
+utility may invoke
+.B pmlogger_check
+using the
+.BR sudo (1)
+command to run it under the $PCP_USER ``pcp'' account.
+If
+.B sudo
+is configured with the non-default
+.I requiretty
+option (see below),
+.B pmlogger_check
+may fail to run due to not having a tty configured.
+This issue can be resolved by adding a second line
+(expand $PCP_BINADM_DIR according to your platform)
+to the
+.I /etc/sudoers
+configuration file as follows:
+.P
+.ft CW
+.nf
+.in +0.5i
+Defaults requiretty
+Defaults!$PCP_BINADM_DIR/pmlogger_check !requiretty
+.in
+.fi
+.ft 1
+.P
+Note that the unprivileged PCP account under which these
+commands run uses
+.I /sbin/nologin
+as the shell, so the
+.I requiretty 
+option is ineffective here and safe to disable in this way.
+ .SH FILES
+ .TP 5
+ .I $PCP_PMLOGGERCONTROL_PATH
+@@ -926,7 +962,7 @@ instances for
+ .I hostname
+ have been launched in the interim.
+ Because the cron-driven PCP archive management scripts run under
+-the uid of the user ``pcp'',
+the $PCP_USER account ``pcp'',
+ .BI $PCP_ARCHIVE_DIR/ hostname /SaveLogs
+ typically needs to be owned by the user ``pcp''.
+ .TP
+@@ -994,6 +1030,7 @@ platforms.
+ .BR pmlogmv (1),
+ .BR pmlogrewrite (1),
+ .BR pmsocks (1),
+.BR sudo (1),
+ .BR systemd (1),
+ .BR xz (1)
+ and
--- a/SOURCES/redhat-bugzilla-2101574-farm-config.patch
+++ b/SOURCES/redhat-bugzilla-2101574-farm-config.patch
@ -0,0 +1,103 @@
+From 73c024c64f7db68fdcd224c27c1711fa6dd1d254 Mon Sep 17 00:00:00 2001
+From: Nathan Scott <nathans@redhat.com>
+Date: Tue, 28 Jun 2022 10:06:06 +1000
+Subject: [PATCH] pmlogger_farm: add default configuration file for farm
+ loggers
+
+Provide a mechanism whereby the farm loggers can be configured.
+There has been reluctance in the past to sharing configuration
+of the local primary logger, so these are now done separately.
+Makes sense to me as the primary pmlogger may need to use more
+frequent sampling, may not want to allow remote pmlc, etc.
+
+Resolves Red Hat BZ #2101574
+---
+ src/pmlogger/GNUmakefile            |  1 +
+ src/pmlogger/pmlogger.defaults      |  2 ++
+ src/pmlogger/pmlogger_check.sh      |  5 +++--
+ src/pmlogger/pmlogger_farm.defaults | 27 +++++++++++++++++++++++++++
+ 4 files changed, 33 insertions(+), 2 deletions(-)
+ create mode 100644 src/pmlogger/pmlogger_farm.defaults
+
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/GNUmakefile pcp-5.3.7/src/pmlogger/GNUmakefile
+--- pcp-5.3.7.orig/src/pmlogger/GNUmakefile	2022-02-02 11:53:05.000000000 +1100
+++ pcp-5.3.7/src/pmlogger/GNUmakefile	2022-08-31 11:23:08.758672970 +1000
+@@ -45,6 +45,7 @@ install:: $(SUBDIRS)
+ 
+ install:: default
+ 	$(INSTALL) -m 775 -o $(PCP_USER) -g $(PCP_GROUP) -d $(PCP_VAR_DIR)/config/pmlogger
+	$(INSTALL) -m 644 pmlogger_farm.defaults $(PCP_SYSCONFIG_DIR)/pmlogger_farm
+ 	$(INSTALL) -m 644 pmlogger.defaults $(PCP_SYSCONFIG_DIR)/pmlogger
+ 	$(INSTALL) -m 755 -d $(PCP_SHARE_DIR)/zeroconf
+ 	$(INSTALL) -m 644 pmlogger.zeroconf $(PCP_SHARE_DIR)/zeroconf/pmlogger
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh pcp-5.3.7/src/pmlogger/pmlogger_check.sh
+--- pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh	2022-04-05 09:05:43.000000000 +1000
+++ pcp-5.3.7/src/pmlogger/pmlogger_check.sh	2022-08-31 11:23:08.758672970 +1000
+@@ -1,6 +1,6 @@
+ #! /bin/sh
+ #
+-# Copyright (c) 2013-2016,2018,2020-2021 Red Hat.
+# Copyright (c) 2013-2016,2018,2020-2022 Red Hat.
+ # Copyright (c) 1995-2000,2003 Silicon Graphics, Inc.  All Rights Reserved.
+ #
+ # This program is free software; you can redistribute it and/or modify it
+@@ -24,6 +24,7 @@
+ PMLOGGER="$PCP_BINADM_DIR/pmlogger"
+ PMLOGCONF="$PCP_BINADM_DIR/pmlogconf"
+ PMLOGGERENVS="$PCP_SYSCONFIG_DIR/pmlogger"
+PMLOGGERFARMENVS="$PCP_SYSCONFIG_DIR/pmlogger_farm"
+ PMLOGGERZEROCONFENVS="$PCP_SHARE_DIR/zeroconf/pmlogger"
+ 
+ # error messages should go to stderr, not the GUI notifiers
+@@ -972,8 +973,8 @@ END				{ print m }'`
+ 		    continue
+ 		fi
+ 	    else
+		envs=`grep -h ^PMLOGGER "$PMLOGGERFARMENVS" 2>/dev/null`
+ 		args="-h $host $args"
+-		envs=""
+ 		iam=""
+ 	    fi
+ 
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults pcp-5.3.7/src/pmlogger/pmlogger.defaults
+--- pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults	2022-02-03 16:11:40.000000000 +1100
+++ pcp-5.3.7/src/pmlogger/pmlogger.defaults	2022-08-31 11:23:08.758672970 +1000
+@@ -1,5 +1,7 @@
+ # Environment variables for the primary pmlogger daemon.  See also
+ # the pmlogger control file and pmlogconf(1) for additional details.
+# Also see separate pmlogger_farm configuration for the non-primary
+# logger configuration settings, separate to this file.
+ # Settings defined in this file will override any settings in the
+ # pmlogger zeroconf file (if present).
+ 
+diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults
+--- pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults	1970-01-01 10:00:00.000000000 +1000
+++ pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults	2022-08-31 11:23:08.758672970 +1000
+@@ -0,0 +1,27 @@
+# Environment variables for the pmlogger farm daemons.  See also
+# pmlogger control file(s) and pmlogconf(1) for additional details.
+# Also see separate pmlogger configuration for the primary logger
+# configuration settings, separate to this file.
+
+# Behaviour regarding listening on external-facing interfaces;
+# unset PMLOGGER_LOCAL to allow connections from remote hosts.
+# A value of 0 permits remote connections, 1 permits local only.
+# PMLOGGER_LOCAL=1
+
+# Max length to which the queue of pending connections may grow
+# A value of 5 is the default.
+# PMLOGGER_MAXPENDING=5
+
+# Default sampling interval pmlogger uses when no more specific
+# interval is requested.  A value of 60 seconds is the default.
+# Both pmlogger command line (via control file) and also pmlogger
+# configuration file directives will override this value.
+# PMLOGGER_INTERVAL=60
+
+# The default behaviour, when pmlogger configuration comes from
+# pmlogconf(1), is to regenerate the configuration file and check for
+# changes whenever pmlogger is started from pmlogger_check(1).
+# If the PMDA configuration is stable, this is not necessary, and
+# setting PMLOGGER_CHECK_SKIP_LOGCONF to yes disables the regeneration
+# and checking.
+# PMLOGGER_CHECK_SKIP_LOGCONF=yes
--- a/SPECS/pcp.spec
+++ b/SPECS/pcp.spec
@ -1,6 +1,6 @@
 Name:    pcp
 Version: 5.3.7
-Release: 7%{?dist}
+Release: 9%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPLv2+ and LGPLv2+ and CC-BY
 URL:     https://pcp.io
@ -12,6 +12,9 @@ Patch1:  redhat-bugzilla-1981886-pmdasockets-backporting.patch
 Patch2:  redhat-bugzilla-2059461-pmie-systemd-fixup.patch
 Patch3:  redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch
 Patch4:  redhat-bugzilla-2059463-pmdapostfix-harden.patch
+Patch5:  redhat-bugzilla-2050094-bcc-selinux.patch
+Patch6:  redhat-bugzilla-2093751-sudoers-docs.patch
+Patch7:  redhat-bugzilla-2101574-farm-config.patch

 # The additional linker flags break out-of-tree PMDAs.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@ -2295,6 +2298,9 @@ updated policy package.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1

 %build
 # the buildsubdir macro gets defined in %setup and is apparently only available in the next step (i.e. the %build step)
@ -3352,6 +3358,11 @@ PCP_LOG_DIR=%{_logsdir}
 %files zeroconf -f pcp-zeroconf-files.rpm

 %changelog
+* Mon Sep 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-9
+- Additional selinux policy rules for pmdabcc (BZ 2050094)
+- Describe working sudoers requiretty configuration (BZ 2093751)
+- Separate pmlogger_farm configuration mechanism (BZ 2101574)
+
 * Mon May 09 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-7
 - Additional selinux policy rules for pmdasockets (BZ 1981886)