Add pcp_domain selinux policy

2021-11-02 14:43:15 +08:00 · 2021-11-02 14:43:15 +08:00 · 639da1255a
commit 639da1255a
parent db2be17518
2 changed files with 61 additions and 1 deletions
--- a/Add-pcp_domain-selinux-policy.patch
+++ b/Add-pcp_domain-selinux-policy.patch
@ -0,0 +1,55 @@
+From 630e0e4e304c751127329009000dc0abcb5a62dc Mon Sep 17 00:00:00 2001
+From: lingsheng <lingsheng@huawei.com>
+Date: Tue, 8 Jun 2021 10:39:37 +0800
+Subject: [PATCH] Add pcp_domain selinux policy
+
+---
+ src/selinux/pcpupstream.te.in | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
+index 8a8cc22..77ede46 100644
+--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
+@@ -1,6 +1,9 @@
+ module pcpupstream @PACKAGE_VERSION@;
+ 
+ require {
+	attribute domain;
+	attribute pcp_domain;
+
+ 	type pcp_pmcd_t;
+ 	type user_home_t;
+ 	type user_home_dir_t; #RHBZ1488116
+@@ -79,7 +82,7 @@ require {
+         type system_cronjob_t;
+         type xdm_t;
+         type postgresql_t;
+-        class sem { unix_read associate getattr };
+        class sem { unix_read associate getattr read};
+ 	class lnk_file { read getattr };
+ 	class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ };
+ 	class dir { add_name open read search write getattr };
+@@ -93,7 +96,7 @@ require {
+ 	@PCP_SOCK_FILE_GETATTR@
+ 	@PCP_CLASS_STATUS@
+ 	class tcp_socket { name_bind name_connect };
+-	class shm { unix_read associate getattr };
+	class shm { unix_read associate getattr read};
+ 	class filesystem mount;
+ 	class blk_file { ioctl open read };
+ 	class msgq { unix_read };
+@@ -286,6 +289,10 @@ allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read };
+ #type=AVC msg=audit(...): avc:  denied  { connectto } for  pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
+ allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto;
+ 
+# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
+allow pcp_domain domain:shm r_sem_perms;
+allow pcp_domain domain:sem r_shm_perms;
+
+ #============= pcp_pmlogger_t ==============
+ allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
+ allow pcp_pmlogger_t self:capability kill;
+-- 
+2.23.0
+
--- a/pcp.spec
+++ b/pcp.spec
@ -11,7 +11,7 @@
 Name:             pcp
 Version:          4.1.3
 Summary:          System-level performance monitoring and performance management
-Release:          16
+Release:          17
 License:          GPLv2+ and LGPLv2.1+ and CC-BY
 URL:              https://pcp.io
 Source0:          https://dl.bintray.com/pcp/source/pcp-4.1.3.tar.gz
@ -27,6 +27,7 @@ Patch9001:        0002-fix-some-pcp-pidstat-bugs.patch
 Patch9002:        0003-fix-pcp-pidstat-bug.patch
 Patch9003:        0004-modify-python2-to-python3.patch
 Patch9004:        Fix-pcp-gcc10.patch
+Patch9005:        Add-pcp_domain-selinux-policy.patch

 BuildRequires:    gcc gcc-c++ procps autoconf bison flex nss-devel rpm-devel avahi-devel xz-devel zlib-devel
 BuildRequires:    python3-devel ncurses-devel readline-devel cyrus-sasl-devel papi-devel libpfm-devel >= 4
@ -867,6 +868,7 @@ This package installs selinux support files for PCP.
 %patch9002 -p1
 %patch9003 -p1
 %patch9004 -p1
+%patch9005 -p1

 %build

@ -2220,6 +2222,9 @@ fi
 %config(noreplace) /etc/pcp/pmrep/*

 %changelog
+* Tue Nov 02 2021 lingsheng <lingsheng@huawei.com> - 4.1.3-17
+- Add pcp_domain selinux policy
+
 * Wed Aug 04 2021 wangyong <wangyong187@huawei.com> - 4.1.3-16
 - Fix build error caused by GCC upgrade to GCC-10