pcp/redhat-bugzilla-2006430.patch

commit 22ee6c04115e8a26f319be3549cd50ad81b5024a
Author: Nathan Scott <nathans@redhat.com>
Date:   Fri Jan 21 13:08:05 2022 +1100

    selinux: additional debugfs policy requirement for pmdakvm
    
    Related to Red Hat BZ #2006430

diff --git a/qa/917.out.in b/qa/917.out.in
index 9339f7436..0723565d6 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -25,6 +25,7 @@ Checking policies.
 ! allow [pcp_pmcd_t] [container_var_run_t] : [sock_file] { getattr write };
   allow [pcp_pmcd_t] [var_run_t] : [sock_file] { getattr write };
   allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
+  allow [pcp_pmcd_t] [debugfs_t] : [dir] { read };
 ! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map };
   allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
   allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr };
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 4a51b804e..20a6705d5 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -144,6 +144,7 @@ allow pcp_pmcd_t var_run_t:sock_file { getattr write };
 
 #type=AVC msg=audit(XXX.6): avc:  denied  { append getattr ioctl open read write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0
 allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };
+allow pcp_pmcd_t debugfs_t:dir read;
 
 #type=AVC msg=audit(XXX.7): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
 #type=AVC msg=audit(XXX.68): avc:  denied  { map } for  pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0