import pcp-5.3.7-20.el8_10

6 months ago · 3fb9e77377
parent 3065d861b7
commit 3fb9e77377
4 changed files with 24072 additions and 20 deletions
--- a/SOURCES/redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
+++ b/SOURCES/redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch
@ -0,0 +1,27 @@
+commit 3bde240a2acc85e63e2f7813330713dd9b59386e
+Author: Nathan Scott <nathans@redhat.com>
+Date:   Wed Mar 27 14:51:28 2024 +1100
+
+    pmproxy: disable Redis protocol proxying by default
+    
+    If a redis-server has been locked down in terms of connections,
+    we want to prevent pmproxy from being allowed to send arbitrary
+    RESP commands to it.
+    
+    This protocol proxying doesn't affect PCP functionality at all,
+    its more of a developer/sysadmin convenience when Redis used in
+    cluster mode (relatively uncommon compared to localhost mode).
+
+diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
+index e54891792e..4cbc1c96af 100644
+--- a/src/pmproxy/pmproxy.conf
+++ b/src/pmproxy/pmproxy.conf
+@@ -29,7 +29,7 @@ pcp.enabled = true
+ http.enabled = true
+ 
+ # support Redis protocol proxying
+-redis.enabled = true
+redis.enabled = false
+ 
+ # support SSL/TLS protocol wrapping
+ secure.enabled = true
--- a/SOURCES/redhat-issues-RHEL-7501-pmlogger_farm-selinux-policy.patch
+++ b/SOURCES/redhat-issues-RHEL-7501-pmlogger_farm-selinux-policy.patch
@ -0,0 +1,74 @@
+diff -Naurp pcp-5.3.7.orig/src/selinux/pcp.fc pcp-5.3.7/src/selinux/pcp.fc
+--- pcp-5.3.7.orig/src/selinux/pcp.fc	2023-11-21 13:25:11.689247531 +1100
+++ pcp-5.3.7/src/selinux/pcp.fc	2023-11-21 14:12:48.080744232 +1100
+@@ -1,36 +1,32 @@
+-/etc/rc\.d/init\.d/pmcd		--	gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/pmlogger 	--      gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/pmproxy 	--	gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/pmie      --       gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
+-
+ /usr/bin/pmie       --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+-/usr/bin/pmcd	    --	    gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+ /usr/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+-/usr/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+-
+ 
+ /usr/libexec/pcp/bin/pmcd	--	gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+-/usr/libexec/pcp/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+ /usr/libexec/pcp/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+-/usr/libexec/pcp/bin/pmie     --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+
+/usr/libexec/pcp/bin/pmie_check --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/libexec/pcp/bin/pmie_daily --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/libexec/pcp/bin/pmie_farm  --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger_check  --  gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger_daily  --  gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/libexec/pcp/bin/pmlogger_farm   --  gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+ 
+ /usr/libexec/pcp/lib/pmcd	--	gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
+ /usr/libexec/pcp/lib/pmlogger	--	gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
+ /usr/libexec/pcp/lib/pmproxy	--	gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
+ /usr/libexec/pcp/lib/pmie	--	gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
+ 
+-/usr/share/pcp/lib/pmie     --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+-
+-/usr/share/pcp/lib/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+/usr/share/pcp/lib/pmcd         --      gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
+/usr/share/pcp/lib/pmproxy      --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
+/usr/share/pcp/lib/pmie         --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
+/usr/share/pcp/lib/pmlogger     --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
+ 
+ /var/lib/pcp(/.*)?		gen_context(system_u:object_r:pcp_var_lib_t,s0)
+ 
+ /var/lib/pcp/pmdas/.*/Install   -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
+-/var/lib/pcp/pmdas/.*/Remove   -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
+/var/lib/pcp/pmdas/.*/Remove    -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
+ /var/lib/pcp/pmdas/.*/Upgrade   -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
+ 
+ /var/log/pcp(/.*)?		gen_context(system_u:object_r:pcp_log_t,s0)
+ 
+ /var/run/pcp(/.*)?		gen_context(system_u:object_r:pcp_var_run_t,s0)
+-/var/run/pmcd\.socket    --  gen_context(system_u:object_r:pcp_var_run_t,s0)
+-/var/run/pmlogger\.primary\.socket    -l  gen_context(system_u:object_r:pcp_var_run_t,s0)
+diff -Naurp pcp-5.3.7.orig/src/selinux/pcp.te pcp-5.3.7/src/selinux/pcp.te
+--- pcp-5.3.7.orig/src/selinux/pcp.te	2023-11-21 13:25:11.690247528 +1100
+++ pcp-5.3.7/src/selinux/pcp.te	2023-11-21 14:13:03.855770809 +1100
+@@ -279,6 +279,7 @@ allow pcp_pmlogger_t pcp_pmcd_t:unix_str
+ allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;
+allow pcp_pmlogger_t ldconfig_exec_t:file { execute execute_no_trans };
+ 
+ dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace };
+ 
+@@ -313,6 +314,10 @@ optional_policy(`
+     rpm_script_signal(pcp_pmlogger_t)
+ ')
+ 
+optional_policy(`
+    userdom_setattr_user_home_content_files(pcp_pmlogger_t)
+')
+
+ ########################################
+ #
+ # pcp_plugin local  policy
--- a/SOURCES/redhat-issues-RHEL-7507-pmdaopenmetrics-quoting.patch
+++ b/SOURCES/redhat-issues-RHEL-7507-pmdaopenmetrics-quoting.patch
--- a/SPECS/pcp.spec
+++ b/SPECS/pcp.spec
@ -1,6 +1,6 @@
 Name:    pcp
 Version: 5.3.7
-Release: 18%{?dist}
+Release: 20%{?dist}
 Summary: System-level performance monitoring and performance management
 License: GPLv2+ and LGPLv2+ and CC-BY
 URL:     https://pcp.io
@ -25,6 +25,9 @@ Patch14: redhat-bugzilla-2150889-nfsclient-srcport.patch
 Patch15: redhat-bugzilla-2219731-hacluster-metrics.patch
 Patch16: redhat-bugzilla-2211263-pmcd-conf-rewrite.patch
 Patch17: redhat-build-jsonsl.patch
+Patch18: redhat-issues-RHEL-7507-pmdaopenmetrics-quoting.patch
+Patch19: redhat-issues-RHEL-7501-pmlogger_farm-selinux-policy.patch
+Patch20: redhat-issues-RHEL-30715-pmproxy-resp-proxy-disabled.patch

 # The additional linker flags break out-of-tree PMDAs.
 # https://bugzilla.redhat.com/show_bug.cgi?id=2043092
@ -2291,25 +2294,7 @@ updated policy package.
 %endif

 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
+%autosetup -p1

 %build
 # the buildsubdir macro gets defined in %setup and is apparently only available in the next step (i.e. the %build step)
@ -3381,6 +3366,13 @@ fi
 %files zeroconf -f pcp-zeroconf-files.rpm

 %changelog
+* Wed Apr 17 2024 Nathan Scott <nathans@redhat.com> - 5.3.7-20
+- Disable RESP proxying by default in pmproxy (RHEL-30715)
+
+* Tue Nov 21 2023 Nathan Scott <nathans@redhat.com> - 5.3.7-19
+- Fix OpenMetrics PMDA mishandling systemd metrics (RHEL-7507)
+- Additional pmlogger_farm service SELinux policy (RHEL-7501)
+
 * Wed Jul 05 2023 Nathan Scott <nathans@redhat.com> - 5.3.7-18
 - Improve pmproxy handling large HTTP requests (BZ 2159207)
 - Fix hacluster metrics with current Pacemaker (BZ 2219731)