import pcp-5.3.7-9.el8
This commit is contained in:
parent
f4a2603942
commit
e4670d620f
66
SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch
Normal file
66
SOURCES/redhat-bugzilla-2050094-bcc-selinux.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||
Date: Fri, 13 May 2022 13:47:50 +0200
|
||||
Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects
|
||||
created by ctypes/libffi (#1593)
|
||||
|
||||
Resolves the following AVC:
|
||||
|
||||
type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094
|
||||
---
|
||||
qa/1622 | 1 +
|
||||
qa/917.out.in | 1 +
|
||||
src/selinux/pcpupstream.te.in | 7 +++++++
|
||||
3 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/qa/1622 b/qa/1622
|
||||
index be7987e225..03ecc4eb42 100755
|
||||
--- a/qa/1622
|
||||
+++ b/qa/1622
|
||||
@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" na
|
||||
type=AVC msg=audit(YYY.25): avc: denied { read } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
||||
type=AVC msg=audit(YYY.26): avc: denied { open } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
||||
type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
||||
+type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
|
||||
type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
|
||||
# matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22
|
||||
#type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
|
||||
diff --git a/qa/917.out.in b/qa/917.out.in
|
||||
index 3bd1dc15e0..8b92c0c5ff 100644
|
||||
--- a/qa/917.out.in
|
||||
+++ b/qa/917.out.in
|
||||
@@ -40,6 +40,7 @@ Checking policies.
|
||||
allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
|
||||
! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
|
||||
allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
|
||||
+ allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read };
|
||||
! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
|
||||
! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
|
||||
! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
|
||||
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
|
||||
index 673b178413..2c15c61ba3 100644
|
||||
--- a/src/selinux/pcpupstream.te.in
|
||||
+++ b/src/selinux/pcpupstream.te.in
|
||||
@@ -39,6 +39,7 @@ require {
|
||||
type pcp_pmlogger_t;
|
||||
type pcp_pmproxy_t;
|
||||
type pcp_tmp_t;
|
||||
+ type pcp_tmpfs_t;
|
||||
type pcp_var_lib_t;
|
||||
type ping_exec_t; # pmda.netcheck
|
||||
type postgresql_var_run_t;
|
||||
@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
|
||||
#type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
||||
allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };
|
||||
|
||||
+# https://bugzilla.redhat.com/show_bug.cgi?id=2050094
|
||||
+#type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
|
||||
+# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file)
|
||||
+# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019
|
||||
+can_exec(pcp_pmcd_t, pcp_tmpfs_t)
|
||||
+
|
||||
# pmda.perfevent
|
||||
#type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
|
||||
#type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
|
135
SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch
Normal file
135
SOURCES/redhat-bugzilla-2093751-sudoers-docs.patch
Normal file
@ -0,0 +1,135 @@
|
||||
commit 55e8c83ee5920ab30644f54f7a525255b1de4b84
|
||||
Author: Nathan Scott <nathans@redhat.com>
|
||||
Date: Mon Aug 29 14:25:03 2022 +1000
|
||||
|
||||
docs: describe working sudoers configuration with requiretty
|
||||
|
||||
When /etc/sudoers is configured with 'Defaults requiretty',
|
||||
pmlogctl cannot invoke pmlogger_check in the normal fashion.
|
||||
Symptoms of the problem are the following system log message:
|
||||
|
||||
pmlogctl[PID]: sudo: sorry, you must have a tty to run sudo
|
||||
|
||||
pmiectl and pmie_check are similarly affected. The simplest
|
||||
solution is to add an additional configuration line excluding
|
||||
these commands from requiring a tty; this is the approach now
|
||||
documented.
|
||||
|
||||
Note these PCP commands are not interactive (require no tty)
|
||||
and the unprivileged 'pcp' account uses nologin(8) as a shell
|
||||
anyway, so requiretty offers no advantages here. Note also
|
||||
there's debate about whether requiretty is a useful security
|
||||
measure in general as it can be trivially bypassed; further
|
||||
details: https://bugzilla.redhat.com/show_bug.cgi?id=1020147
|
||||
|
||||
Resolves Red Hat BZ #2093751
|
||||
|
||||
diff -Naurp pcp-5.3.7.orig/man/man1/pmie_check.1 pcp-5.3.7/man/man1/pmie_check.1
|
||||
--- pcp-5.3.7.orig/man/man1/pmie_check.1 2021-11-04 08:26:15.000000000 +1100
|
||||
+++ pcp-5.3.7/man/man1/pmie_check.1 2022-08-31 11:17:52.362276530 +1000
|
||||
@@ -406,6 +406,42 @@ no
|
||||
entries are needed as the timer mechanism provided by
|
||||
.B systemd
|
||||
is used instead.
|
||||
+.PP
|
||||
+The
|
||||
+.BR pmiectl (1)
|
||||
+utility may invoke
|
||||
+.B pmie_check
|
||||
+using the
|
||||
+.BR sudo (1)
|
||||
+command to run it under the $PCP_USER ``pcp'' account.
|
||||
+If
|
||||
+.B sudo
|
||||
+is configured with the non-default
|
||||
+.I requiretty
|
||||
+option (see below),
|
||||
+.B pmie_check
|
||||
+may fail to run due to not having a tty configured.
|
||||
+This issue can be resolved by adding a second line
|
||||
+(expand $PCP_BINADM_DIR according to your platform)
|
||||
+to the
|
||||
+.I /etc/sudoers
|
||||
+configuration file as follows:
|
||||
+.P
|
||||
+.ft CW
|
||||
+.nf
|
||||
+.in +0.5i
|
||||
+Defaults requiretty
|
||||
+Defaults!$PCP_BINADM_DIR/pmie_check !requiretty
|
||||
+.in
|
||||
+.fi
|
||||
+.ft 1
|
||||
+.P
|
||||
+Note that the unprivileged PCP account under which these
|
||||
+commands run uses
|
||||
+.I /sbin/nologin
|
||||
+as the shell, so the
|
||||
+.I requiretty
|
||||
+option is ineffective here and safe to disable in this way.
|
||||
.SH FILES
|
||||
.TP 5
|
||||
.I $PCP_PMIECONTROL_PATH
|
||||
diff -Naurp pcp-5.3.7.orig/man/man1/pmlogger_check.1 pcp-5.3.7/man/man1/pmlogger_check.1
|
||||
--- pcp-5.3.7.orig/man/man1/pmlogger_check.1 2022-04-05 09:05:43.000000000 +1000
|
||||
+++ pcp-5.3.7/man/man1/pmlogger_check.1 2022-08-31 11:20:52.470086724 +1000
|
||||
@@ -830,6 +830,42 @@ no
|
||||
entries are needed as the timer mechanism provided by
|
||||
.B systemd
|
||||
is used instead.
|
||||
+.PP
|
||||
+The
|
||||
+.BR pmlogctl (1)
|
||||
+utility may invoke
|
||||
+.B pmlogger_check
|
||||
+using the
|
||||
+.BR sudo (1)
|
||||
+command to run it under the $PCP_USER ``pcp'' account.
|
||||
+If
|
||||
+.B sudo
|
||||
+is configured with the non-default
|
||||
+.I requiretty
|
||||
+option (see below),
|
||||
+.B pmlogger_check
|
||||
+may fail to run due to not having a tty configured.
|
||||
+This issue can be resolved by adding a second line
|
||||
+(expand $PCP_BINADM_DIR according to your platform)
|
||||
+to the
|
||||
+.I /etc/sudoers
|
||||
+configuration file as follows:
|
||||
+.P
|
||||
+.ft CW
|
||||
+.nf
|
||||
+.in +0.5i
|
||||
+Defaults requiretty
|
||||
+Defaults!$PCP_BINADM_DIR/pmlogger_check !requiretty
|
||||
+.in
|
||||
+.fi
|
||||
+.ft 1
|
||||
+.P
|
||||
+Note that the unprivileged PCP account under which these
|
||||
+commands run uses
|
||||
+.I /sbin/nologin
|
||||
+as the shell, so the
|
||||
+.I requiretty
|
||||
+option is ineffective here and safe to disable in this way.
|
||||
.SH FILES
|
||||
.TP 5
|
||||
.I $PCP_PMLOGGERCONTROL_PATH
|
||||
@@ -926,7 +962,7 @@ instances for
|
||||
.I hostname
|
||||
have been launched in the interim.
|
||||
Because the cron-driven PCP archive management scripts run under
|
||||
-the uid of the user ``pcp'',
|
||||
+the $PCP_USER account ``pcp'',
|
||||
.BI $PCP_ARCHIVE_DIR/ hostname /SaveLogs
|
||||
typically needs to be owned by the user ``pcp''.
|
||||
.TP
|
||||
@@ -994,6 +1030,7 @@ platforms.
|
||||
.BR pmlogmv (1),
|
||||
.BR pmlogrewrite (1),
|
||||
.BR pmsocks (1),
|
||||
+.BR sudo (1),
|
||||
.BR systemd (1),
|
||||
.BR xz (1)
|
||||
and
|
103
SOURCES/redhat-bugzilla-2101574-farm-config.patch
Normal file
103
SOURCES/redhat-bugzilla-2101574-farm-config.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From 73c024c64f7db68fdcd224c27c1711fa6dd1d254 Mon Sep 17 00:00:00 2001
|
||||
From: Nathan Scott <nathans@redhat.com>
|
||||
Date: Tue, 28 Jun 2022 10:06:06 +1000
|
||||
Subject: [PATCH] pmlogger_farm: add default configuration file for farm
|
||||
loggers
|
||||
|
||||
Provide a mechanism whereby the farm loggers can be configured.
|
||||
There has been reluctance in the past to sharing configuration
|
||||
of the local primary logger, so these are now done separately.
|
||||
Makes sense to me as the primary pmlogger may need to use more
|
||||
frequent sampling, may not want to allow remote pmlc, etc.
|
||||
|
||||
Resolves Red Hat BZ #2101574
|
||||
---
|
||||
src/pmlogger/GNUmakefile | 1 +
|
||||
src/pmlogger/pmlogger.defaults | 2 ++
|
||||
src/pmlogger/pmlogger_check.sh | 5 +++--
|
||||
src/pmlogger/pmlogger_farm.defaults | 27 +++++++++++++++++++++++++++
|
||||
4 files changed, 33 insertions(+), 2 deletions(-)
|
||||
create mode 100644 src/pmlogger/pmlogger_farm.defaults
|
||||
|
||||
diff -Naurp pcp-5.3.7.orig/src/pmlogger/GNUmakefile pcp-5.3.7/src/pmlogger/GNUmakefile
|
||||
--- pcp-5.3.7.orig/src/pmlogger/GNUmakefile 2022-02-02 11:53:05.000000000 +1100
|
||||
+++ pcp-5.3.7/src/pmlogger/GNUmakefile 2022-08-31 11:23:08.758672970 +1000
|
||||
@@ -45,6 +45,7 @@ install:: $(SUBDIRS)
|
||||
|
||||
install:: default
|
||||
$(INSTALL) -m 775 -o $(PCP_USER) -g $(PCP_GROUP) -d $(PCP_VAR_DIR)/config/pmlogger
|
||||
+ $(INSTALL) -m 644 pmlogger_farm.defaults $(PCP_SYSCONFIG_DIR)/pmlogger_farm
|
||||
$(INSTALL) -m 644 pmlogger.defaults $(PCP_SYSCONFIG_DIR)/pmlogger
|
||||
$(INSTALL) -m 755 -d $(PCP_SHARE_DIR)/zeroconf
|
||||
$(INSTALL) -m 644 pmlogger.zeroconf $(PCP_SHARE_DIR)/zeroconf/pmlogger
|
||||
diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh pcp-5.3.7/src/pmlogger/pmlogger_check.sh
|
||||
--- pcp-5.3.7.orig/src/pmlogger/pmlogger_check.sh 2022-04-05 09:05:43.000000000 +1000
|
||||
+++ pcp-5.3.7/src/pmlogger/pmlogger_check.sh 2022-08-31 11:23:08.758672970 +1000
|
||||
@@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
#
|
||||
-# Copyright (c) 2013-2016,2018,2020-2021 Red Hat.
|
||||
+# Copyright (c) 2013-2016,2018,2020-2022 Red Hat.
|
||||
# Copyright (c) 1995-2000,2003 Silicon Graphics, Inc. All Rights Reserved.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
@@ -24,6 +24,7 @@
|
||||
PMLOGGER="$PCP_BINADM_DIR/pmlogger"
|
||||
PMLOGCONF="$PCP_BINADM_DIR/pmlogconf"
|
||||
PMLOGGERENVS="$PCP_SYSCONFIG_DIR/pmlogger"
|
||||
+PMLOGGERFARMENVS="$PCP_SYSCONFIG_DIR/pmlogger_farm"
|
||||
PMLOGGERZEROCONFENVS="$PCP_SHARE_DIR/zeroconf/pmlogger"
|
||||
|
||||
# error messages should go to stderr, not the GUI notifiers
|
||||
@@ -972,8 +973,8 @@ END { print m }'`
|
||||
continue
|
||||
fi
|
||||
else
|
||||
+ envs=`grep -h ^PMLOGGER "$PMLOGGERFARMENVS" 2>/dev/null`
|
||||
args="-h $host $args"
|
||||
- envs=""
|
||||
iam=""
|
||||
fi
|
||||
|
||||
diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults pcp-5.3.7/src/pmlogger/pmlogger.defaults
|
||||
--- pcp-5.3.7.orig/src/pmlogger/pmlogger.defaults 2022-02-03 16:11:40.000000000 +1100
|
||||
+++ pcp-5.3.7/src/pmlogger/pmlogger.defaults 2022-08-31 11:23:08.758672970 +1000
|
||||
@@ -1,5 +1,7 @@
|
||||
# Environment variables for the primary pmlogger daemon. See also
|
||||
# the pmlogger control file and pmlogconf(1) for additional details.
|
||||
+# Also see separate pmlogger_farm configuration for the non-primary
|
||||
+# logger configuration settings, separate to this file.
|
||||
# Settings defined in this file will override any settings in the
|
||||
# pmlogger zeroconf file (if present).
|
||||
|
||||
diff -Naurp pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults
|
||||
--- pcp-5.3.7.orig/src/pmlogger/pmlogger_farm.defaults 1970-01-01 10:00:00.000000000 +1000
|
||||
+++ pcp-5.3.7/src/pmlogger/pmlogger_farm.defaults 2022-08-31 11:23:08.758672970 +1000
|
||||
@@ -0,0 +1,27 @@
|
||||
+# Environment variables for the pmlogger farm daemons. See also
|
||||
+# pmlogger control file(s) and pmlogconf(1) for additional details.
|
||||
+# Also see separate pmlogger configuration for the primary logger
|
||||
+# configuration settings, separate to this file.
|
||||
+
|
||||
+# Behaviour regarding listening on external-facing interfaces;
|
||||
+# unset PMLOGGER_LOCAL to allow connections from remote hosts.
|
||||
+# A value of 0 permits remote connections, 1 permits local only.
|
||||
+# PMLOGGER_LOCAL=1
|
||||
+
|
||||
+# Max length to which the queue of pending connections may grow
|
||||
+# A value of 5 is the default.
|
||||
+# PMLOGGER_MAXPENDING=5
|
||||
+
|
||||
+# Default sampling interval pmlogger uses when no more specific
|
||||
+# interval is requested. A value of 60 seconds is the default.
|
||||
+# Both pmlogger command line (via control file) and also pmlogger
|
||||
+# configuration file directives will override this value.
|
||||
+# PMLOGGER_INTERVAL=60
|
||||
+
|
||||
+# The default behaviour, when pmlogger configuration comes from
|
||||
+# pmlogconf(1), is to regenerate the configuration file and check for
|
||||
+# changes whenever pmlogger is started from pmlogger_check(1).
|
||||
+# If the PMDA configuration is stable, this is not necessary, and
|
||||
+# setting PMLOGGER_CHECK_SKIP_LOGCONF to yes disables the regeneration
|
||||
+# and checking.
|
||||
+# PMLOGGER_CHECK_SKIP_LOGCONF=yes
|
@ -1,6 +1,6 @@
|
||||
Name: pcp
|
||||
Version: 5.3.7
|
||||
Release: 7%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Summary: System-level performance monitoring and performance management
|
||||
License: GPLv2+ and LGPLv2+ and CC-BY
|
||||
URL: https://pcp.io
|
||||
@ -12,6 +12,9 @@ Patch1: redhat-bugzilla-1981886-pmdasockets-backporting.patch
|
||||
Patch2: redhat-bugzilla-2059461-pmie-systemd-fixup.patch
|
||||
Patch3: redhat-bugzilla-2081262-pmdaproc-cgroups-fix.patch
|
||||
Patch4: redhat-bugzilla-2059463-pmdapostfix-harden.patch
|
||||
Patch5: redhat-bugzilla-2050094-bcc-selinux.patch
|
||||
Patch6: redhat-bugzilla-2093751-sudoers-docs.patch
|
||||
Patch7: redhat-bugzilla-2101574-farm-config.patch
|
||||
|
||||
# The additional linker flags break out-of-tree PMDAs.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2043092
|
||||
@ -2295,6 +2298,9 @@ updated policy package.
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
|
||||
%build
|
||||
# the buildsubdir macro gets defined in %setup and is apparently only available in the next step (i.e. the %build step)
|
||||
@ -3352,6 +3358,11 @@ PCP_LOG_DIR=%{_logsdir}
|
||||
%files zeroconf -f pcp-zeroconf-files.rpm
|
||||
|
||||
%changelog
|
||||
* Mon Sep 05 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-9
|
||||
- Additional selinux policy rules for pmdabcc (BZ 2050094)
|
||||
- Describe working sudoers requiretty configuration (BZ 2093751)
|
||||
- Separate pmlogger_farm configuration mechanism (BZ 2101574)
|
||||
|
||||
* Mon May 09 2022 Nathan Scott <nathans@redhat.com> - 5.3.7-7
|
||||
- Additional selinux policy rules for pmdasockets (BZ 1981886)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user