BZ 1790452 - Installation of pcp-pmda-samba causes SELinux issues 73772a60f selinux: fix pmdasamba(1) operating with selinux enforcing --- a/qa/917.out.in 2020-05-19 20:34:46.000000000 +1000 +++ pcp-5.1.1/qa/917.out.in 2020-06-22 17:29:14.346713826 +1000 @@ -34,6 +34,8 @@ ! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect }; ! allow [pcp_pmcd_t] [unreserved_port_t] : [udp_socket] { name_bind }; ! allow [pcp_pmlogger_t] [unreserved_port_t] : [tcp_socket] { name_bind }; + allow [pcp_pmcd_t] [samba_var_t] : [dir] { add_name write }; + allow [pcp_pmcd_t] [samba_var_t] : [file] { create }; allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect }; ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map }; allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read }; --- a/src/pmdas/samba/pmdasamba.pl 2020-02-04 14:51:57.000000000 +1100 +++ pcp-5.1.1/src/pmdas/samba/pmdasamba.pl 2020-06-22 17:29:14.346713826 +1000 @@ -41,6 +41,7 @@ $pmda->err("pmdasamba failed to open $smbstats pipe: $!"); while () { + $_ =~ s/"//g; if (m/^\*\*\*\*\s+(\w+[^*]*)\**$/) { my $heading = $1; $heading =~ s/ +$//g; --- a/src/selinux/pcpupstream.te.in 2020-05-19 20:34:32.000000000 +1000 +++ pcp-5.1.1/src/selinux/pcpupstream.te.in 2020-06-22 17:29:14.347713837 +1000 @@ -22,6 +22,7 @@ type pcp_pmie_exec_t; # pmda.summary type ping_exec_t; # pmda.netcheck type openvswitch_exec_t; # pmda.openvswitch + type samba_var_t; # pmda.samba type websm_port_t; # pmda.openmetrics type system_cronjob_t; type user_home_t; @@ -151,6 +152,10 @@ #type=AVC msg=audit(YYY.94): avc: denied { name_bind } for pid=9365 comm=pmlogger src=4332 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 @PCP_UNRESERVED_PORT_RULE_PMLOGGER@ +#type=AVC msg=audit(YYY.97): avc: denied { write } for pid=3507787 comm="smbstatus" name="msg.lock" dev="dm-0" ino=283321 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=dir permissive=0 +allow pcp_pmcd_t samba_var_t:dir { add_name write }; # pmda.samba +allow pcp_pmcd_t samba_var_t:file { create }; # pmda.samba + #type=AVC msg=audit(YYY.15): avc: denied { name_connect } for pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0 allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.openmetrics