From b821da04f48bfc97b4e214df7e17326df0c5ed7a Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Tue, 6 Sep 2022 15:19:59 +0200
Subject: [PATCH] Allow pcp pmcd search tracefs and acct_data dirs

Allow Performance Metrics Domain Agent (PMDA) search accesses on the directory /sys/kernel/tracing.
Addresses the following AVC denial:
type=AVC msg=audit(1642589553.515:244): avc:  denied  { search } for  pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
Resolves: bz#2041845

Allow pmdaproc search accesses on the directory /var/account.
Add interface to allow search process accounting data.
Addresses the following AVC denial:
type=AVC msg=audit(1642589553.499:243): avc:  denied  { search } for  pid=2036 comm="pmdaproc" name="account" dev="sdf1" ino=9175045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=0
Resolves: bz#2041843

Signed-off-by: lujie42 <lujie54@huawei.com>
---
 policy/modules/contrib/acct.if | 18 ++++++++++++++++++
 policy/modules/contrib/pcp.te  |  5 +++++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index bc4038b45..86dcc1d5f 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -60,6 +60,24 @@ interface(`acct_exec_data',`
 	can_exec($1, acct_data_t)
 ')
 
+########################################
+## <summary>
+##      Search process accounting data.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`acct_search_data',`
+        gen_require(`
+                type acct_data_t;
+        ')
+
+        search_dirs_pattern($1, acct_data_t, acct_data_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
index 66200d46f..920456afc 100644
--- a/policy/modules/contrib/pcp.te
+++ b/policy/modules/contrib/pcp.te
@@ -146,6 +146,7 @@ fs_getattr_all_dirs(pcp_pmcd_t)
 fs_list_cgroup_dirs(pcp_pmcd_t)
 fs_read_cgroup_files(pcp_pmcd_t)
 fs_read_nfsd_files(pcp_pmcd_t)
+fs_search_tracefs_dirs(pcp_pmcd_t)
 
 init_read_utmp(pcp_pmcd_t)
 
@@ -159,6 +160,10 @@ storage_raw_read_fixed_disk(pcp_pmcd_t)
 userdom_read_user_tmp_files(pcp_pmcd_t)
 userdom_manage_unpriv_user_semaphores(pcp_pmcd_t)
 
+optional_policy(`
+	acct_search_data(pcp_pmcd_t)
+')
+
 optional_policy(`
 	cron_read_pid_files(pcp_pmcd_t)
 ')
-- 
2.27.0