Add pcp_domain selinux policy

(cherry picked from commit 89d9285892c1a9b00fc0284276b4049798f9877b)
2021-06-08 14:24:09 +08:00 · 2021-06-08 14:24:09 +08:00 · aab3fa036d
commit aab3fa036d
parent 96a2a3fbc6
2 changed files with 61 additions and 1 deletions
--- a/Add-pcp_domain-selinux-policy.patch
+++ b/Add-pcp_domain-selinux-policy.patch
@ -0,0 +1,55 @@
+From 630e0e4e304c751127329009000dc0abcb5a62dc Mon Sep 17 00:00:00 2001
+From: lingsheng <lingsheng@huawei.com>
+Date: Tue, 8 Jun 2021 10:39:37 +0800
+Subject: [PATCH] Add pcp_domain selinux policy
+
+---
+ src/selinux/pcpupstream.te.in | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
+index 8a8cc22..77ede46 100644
+--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
+@@ -1,6 +1,9 @@
+ module pcpupstream @PACKAGE_VERSION@;
+ 
+ require {
+	attribute domain;
+	attribute pcp_domain;
+
+ 	type pcp_pmcd_t;
+ 	type user_home_t;
+ 	type user_home_dir_t; #RHBZ1488116
+@@ -79,7 +82,7 @@ require {
+         type system_cronjob_t;
+         type xdm_t;
+         type postgresql_t;
+-        class sem { unix_read associate getattr };
+        class sem { unix_read associate getattr read};
+ 	class lnk_file { read getattr };
+ 	class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ };
+ 	class dir { add_name open read search write getattr };
+@@ -93,7 +96,7 @@ require {
+ 	@PCP_SOCK_FILE_GETATTR@
+ 	@PCP_CLASS_STATUS@
+ 	class tcp_socket { name_bind name_connect };
+-	class shm { unix_read associate getattr };
+	class shm { unix_read associate getattr read};
+ 	class filesystem mount;
+ 	class blk_file { ioctl open read };
+ 	class msgq { unix_read };
+@@ -286,6 +289,10 @@ allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read };
+ #type=AVC msg=audit(...): avc:  denied  { connectto } for  pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
+ allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto;
+ 
+# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
+allow pcp_domain domain:shm r_sem_perms;
+allow pcp_domain domain:sem r_shm_perms;
+
+ #============= pcp_pmlogger_t ==============
+ allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
+ allow pcp_pmlogger_t self:capability kill;
+-- 
+2.23.0
+
--- a/pcp.spec
+++ b/pcp.spec
@ -9,7 +9,7 @@
 Name:             pcp
 Version:          4.1.3
 Summary:          System-level performance monitoring and performance management
-Release:          12
+Release:          13
 License:          GPLv2+ and LGPLv2.1+ and CC-BY
 URL:              https://pcp.io
 Source0:          https://dl.bintray.com/pcp/source/pcp-4.1.3.tar.gz
@ -19,6 +19,7 @@ Source3:          https://github.com/performancecopilot/pcp-webapp-graphite/arch
 Source4:          https://github.com/performancecopilot/pcp-webapp-blinkenlights/archive/1.0.1/pcp-webapp-blinkenlights-1.0.1.tar.gz
 Patch0001:        Fix-some-options-and-syntax-errors.patch
 Patch0002:        fix-pcp-pidstat-bug.patch
+Patch0003:        Add-pcp_domain-selinux-policy.patch
 Patch6000:        CVE-2019-3695-CVE-2019-3696.patch

 BuildRequires:    gcc gcc-c++ procps autoconf bison flex nss-devel rpm-devel avahi-devel xz-devel zlib-devel
@ -864,6 +865,7 @@ This package installs selinux support files for PCP.
 %setup -q
 %patch0001 -p1
 %patch0002 -p1
+%patch0003 -p1
 %patch6000 -p1

 %build
@ -2218,6 +2220,9 @@ fi
 %config(noreplace) /etc/pcp/pmrep/*

 %changelog
+* Tue Jun  8 2021 lingsheng <lingsheng@huawei.com> - 4.1.3-13
+- Add pcp_domain selinux policy
+
 * Fri May 14 2021 lingsheng <lingsheng@huawei.com> - 4.1.3-12
 - Fix some options and syntax errors
 - Fix pcp pidstat bug -a option