import pcp-5.3.1-4.el8

SOURCES/redhat-bugzilla-1879350.patch

@@ -29,32 +29,6 @@ Date:   Thu Jun 24 12:42:54 2021 +1000
     
     Resolves: RHBZ#1879350
 
-diff --git a/build/rpm/pcp.spec.in b/build/rpm/pcp.spec.in
-index 7d55cc582..09a5040d5 100755
---- a/build/rpm/pcp.spec.in
-+++ b/build/rpm/pcp.spec.in
-@@ -2234,7 +2234,7 @@ basic_manifest | grep -E -e 'pmiostat|pmrep|dstat|pcp2csv' \
-    -e 'pcp-atop|pcp-dmcache|pcp-dstat|pcp-free|pcp-htop' \
-    -e 'pcp-ipcs|pcp-iostat|pcp-lvmcache|pcp-mpstat' \
-    -e 'pcp-numastat|pcp-pidstat|pcp-shping|pcp-tapestat' \
--   -e 'pcp-uptime|pcp-verify' | \
-+   -e 'pcp-uptime|pcp-verify|pcp-ss' | \
-    cull 'selinux|pmlogconf|pmieconf|pmrepconf' >pcp-system-tools-files
- basic_manifest | keep 'sar2pcp' >pcp-import-sar2pcp-files
- basic_manifest | keep 'iostat2pcp' >pcp-import-iostat2pcp-files
-diff --git a/build/rpm/redhat.spec b/build/rpm/redhat.spec
-index a437b15c8..f85a6d53a 100644
---- a/build/rpm/redhat.spec
-+++ b/build/rpm/redhat.spec
-@@ -2375,7 +2375,7 @@ basic_manifest | grep -E -e 'pmiostat|pmrep|dstat|pcp2csv' \
-    -e 'pcp-atop|pcp-dmcache|pcp-dstat|pcp-free|pcp-htop' \
-    -e 'pcp-ipcs|pcp-iostat|pcp-lvmcache|pcp-mpstat' \
-    -e 'pcp-numastat|pcp-pidstat|pcp-shping|pcp-tapestat' \
--   -e 'pcp-uptime|pcp-verify' | \
-+   -e 'pcp-uptime|pcp-verify|pcp-ss' | \
-    cull 'selinux|pmlogconf|pmieconf|pmrepconf' >pcp-system-tools-files
- 
- basic_manifest | keep 'sar2pcp' >pcp-import-sar2pcp-files
 diff --git a/qa/1633 b/qa/1633
 new file mode 100755
 index 000000000..8ce2fc3ba

SOURCES/redhat-bugzilla-1962019.patch

@@ -0,0 +1,61 @@
+diff -Naurp pcp-5.3.1.orig/qa/1622 pcp-5.3.1/qa/1622
+--- pcp-5.3.1.orig/qa/1622	2021-05-31 09:25:06.000000000 +1000
++++ pcp-5.3.1/qa/1622	2021-08-27 15:22:35.173591966 +1000
+@@ -251,6 +251,8 @@ type=AVC msg=audit(XXX.94): avc:  denied
+ type=AVC msg=audit(XXX.95): avc: denied { setattr unlink } for pid=29153 comm="mv" name="pmlogger_check.log" dev="dm-0" ino=926794 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(XXX.96): avc:  denied  { execute } for  pid=2205945 comm="sh" name="kmod" dev="dm-0" ino=9462231 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
+ type=AVC msg=audit(XXX.97): avc:  denied  { execute_no_trans } for  pid=40596 comm="sh" path="/usr/bin/kmod" dev="dm-0" ino=9462231 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
++type=AVC msg=audit(XXX.98): avc: denied { getattr write } for pid=14272 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=95030 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=0
++type=AVC msg=audit(XXX.99): avc: denied { getattr write } for pid=75540 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=51062 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
+ EOF
+ 
+ echo "Silence is golden ... all AVC's are allowed by active policy"
+diff -Naurp pcp-5.3.1.orig/qa/917.out.in pcp-5.3.1/qa/917.out.in
+--- pcp-5.3.1.orig/qa/917.out.in	2021-06-04 06:36:53.000000000 +1000
++++ pcp-5.3.1/qa/917.out.in	2021-08-27 15:22:35.175591931 +1000
+@@ -23,6 +23,8 @@ Checking policies.
+   allow [init_t] [system_cronjob_t] : [dbus] { send_msg };
+   allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans };
+   allow [pcp_pmcd_t] [user_tmp_t] : [sock_file] { getattr write };
++  allow [pcp_pmcd_t] [container_var_run_t] : [sock_file] { getattr write };
++  allow [pcp_pmcd_t] [var_run_t] : [sock_file] { getattr write };
+   allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
+ ! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map };
+   allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
+diff -Naurp pcp-5.3.1.orig/src/pmdas/podman/pmda.c pcp-5.3.1/src/pmdas/podman/pmda.c
+--- pcp-5.3.1.orig/src/pmdas/podman/pmda.c	2021-05-13 14:42:26.000000000 +1000
++++ pcp-5.3.1/src/pmdas/podman/pmda.c	2021-08-27 15:22:35.175591931 +1000
+@@ -19,7 +19,7 @@
+ char *podman_rundir;
+ pmdaIndom podman_indomtab[NUM_INDOMS];
+ 
+-#define NUM_METRICS (NUM_CONTAINER_STATS + NUM_CONTAINER_INFO + NUM_POD_INFO)
++#define NUM_METRICS (sizeof(podman_metrictab)/sizeof(podman_metrictab[0]))
+ static pmdaMetric podman_metrictab[] = {
+ 
+     /* container stats cluster (0) */
+diff -Naurp pcp-5.3.1.orig/src/selinux/pcpupstream.te.in pcp-5.3.1/src/selinux/pcpupstream.te.in
+--- pcp-5.3.1.orig/src/selinux/pcpupstream.te.in	2021-06-04 06:36:39.000000000 +1000
++++ pcp-5.3.1/src/selinux/pcpupstream.te.in	2021-08-27 15:22:35.175591931 +1000
+@@ -59,6 +59,8 @@ require {
+         type proc_kcore_t;
+ 	@PCP_PROC_SECURITY_T@
+         type su_exec_t;
++	type var_run_t;
++	type container_var_run_t;
+ 	type postgresql_var_run_t;
+ 	type fs_t;
+ 	@PCP_VIRT_VAR_RUN_T@
+@@ -131,6 +133,12 @@ allow pcp_pmcd_t user_home_t:file { exec
+ #type=AVC msg=audit(XXX.90): avc: denied { getattr write } for pid=1514 comm="pmdapodman" path="/run/user/N/podman/podman.sock" dev="tmpfs" ino=228 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
+ allow pcp_pmcd_t user_tmp_t:sock_file { getattr write };
+ 
++#type=AVC msg=audit(XXX.98): avc: denied { getattr write } for pid=14272 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=95030 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:container_var_run_t:s0 tclass=sock_file permissive=0
++allow pcp_pmcd_t container_var_run_t:sock_file { getattr write };
++
++#type=AVC msg=audit(XXX.99): avc: denied { getattr write } for pid=75540 comm="pmdapodman" path="/run/podman/podman.sock" dev="tmpfs" ino=51062 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
++allow pcp_pmcd_t var_run_t:sock_file { getattr write };
++
+ #type=AVC msg=audit(XXX.6): avc:  denied  { append getattr ioctl open read write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0
+ allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };
+ 

SPECS/pcp.spec

@@ -1,6 +1,6 @@
 Name:    pcp
 Version: 5.3.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPLv2+ and LGPLv2+ and CC-BY
 URL:     https://pcp.io
@@ -12,6 +12,7 @@ Patch000: redhat-bugzilla-1947989.patch
 Patch001: redhat-bugzilla-1974266.patch
 Patch002: redhat-bugzilla-1975069.patch
 Patch003: redhat-bugzilla-1879350.patch
+Patch004: redhat-bugzilla-1962019.patch
 
 %if 0%{?fedora} >= 26 || 0%{?rhel} > 7
 %global __python2 python2
@@ -2222,6 +2223,7 @@ updated policy package.
 %patch001 -p1
 %patch002 -p1
 %patch003 -p1
+%patch004 -p1
 
 %build
 # fix up build version
@@ -3279,6 +3281,9 @@ PCP_LOG_DIR=%{_logsdir}
 %files zeroconf -f pcp-zeroconf-files.rpm
 
 %changelog
+* Fri Aug 27 2021 Nathan Scott <nathans@redhat.com> - 5.3.1-4
+- Fix pmdapodman initialization and selinux policy (BZ 1962019)
+
 * Fri Jul 09 2021 Mark Goodwin <mgoodwin@redhat.com> - 5.3.1-3
 - Improve pmproxy and libpcp_web scalability (BZ 1975069)
 - Provide a pcp-ss(1) tool in pcp-system-tools (BZ 1879350)