Merge branch 'master' of https://github.com/kmcdonell/pcp into kenj-m…

…erge
performancecopilot · Apr 29, 2019 · 63eaec6 · 63eaec6
2 parents b408ba0 + 66daa95
commit 63eaec6
Show file tree

Hide file tree

Showing 12 changed files with 142 additions and 20 deletions.
diff --git a/configure b/configure
@@ -5112,7 +5112,11 @@ yacc=`$which "$yacc"`
 if test ! -x "$yacc"; then
     as_fn_error $? "cannot find a valid 'yacc'/'bison' command." "$LINENO" 5
 fi
-yacc=$YACC
+yacc=`echo $YACC | sed -e '/^bison /{
+s/$/ /
+s/ -y / /
+s/ $//
+}'`
 
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking where unix-like sort(1) lives" >&5

diff --git a/configure.ac b/configure.ac
@@ -588,7 +588,12 @@ yacc=`$which "$yacc"`
 if test ! -x "$yacc"; then
     AC_MSG_ERROR([cannot find a valid 'yacc'/'bison' command.])
 fi
-yacc=$YACC
+dnl if this is bison, don't use the -y option
+yacc=`echo $YACC | sed -e '/^bison /{
+s/$/ /
+s/ -y / /
+s/ $//
+}'`
 AC_SUBST(yacc)
 
 dnl check we don't get the Windows sort ...

diff --git a/qa/.gitignore b/qa/.gitignore
@@ -23,6 +23,9 @@ webapi-webd-*
 check.time
 localconfig
 localconfig.h
+pcpqa.fc
+pcpqa.if
+pcpqa.pp
 qa_hosts
 qa_outfiles
 rc_cron_check.clean

diff --git a/qa/895 b/qa/895
@@ -119,12 +119,12 @@ N=`grep '^  Fetch group' $tmp.log | tee -a $here/$seq.full | wc -l | sed -e 's/
 # So the upper bound is 61*N records.
 #
 # On really slow VMs we struggle to keep up with the number of metrics and
-# the 100msec sampling rate, so 50*N is the lower bound ... this is OK,
+# the 100msec sampling rate, so 45*N is the lower bound ... this is OK,
 # because if pmlogger is going to behave badly we'll miss the 60*N target
 # by a mile!
 #
 max_nrec=`expr $N \* 61 + 2`
-min_nrec=`expr \( $N \) \* 50 + 2`
+min_nrec=`expr \( $N \) \* 45 + 2`
 echo "N(fetch groups)=$N max_nrec=$max_nrec min_nrec=$min_nrec" >>$here/$seq.full
 nrec=`pmdumplog $tmp | grep '^[0-9]' | grep -v '<mark>' | wc -l | sed -e 's/ //g'`
 echo "nrec=$nrec log records" >>$here/$seq.full

diff --git a/qa/920 b/qa/920
@@ -35,6 +35,13 @@ _report()
     # Note: some versions of ls(1), e.g. OS X, don't report directory
     # names from the command line (so no pmlogger: line below)
     #
+    if [ ! -d $tmp ]
+    then
+	echo "Arrgh: directory $tmp not created"
+	$PCP_PS_PROG $PCP_PS_ALL_FLAGS | egrep '[P]ID|[p]mlogger'
+	return
+    fi
+
     (cd $tmp; ls -lR pmlogger ) | $PCP_AWK_PROG '
 $1 == "pmlogger:"	{ next }
 NF < 4		{ print; next }
@@ -70,7 +77,19 @@ End-of-File
 $sudo cp $tmp.tmp ${PCP_PMLOGGERCONTROL_PATH}.d/qa-$seq
 
 _service pmlogger restart | _filter_pcp_start
-_wait_for_pmlogger
+
+# wait up to 20 seconds for our pmlogger to start
+#
+i=0
+while [ $i -lt 20 ]
+do
+    if $PCP_PS_PROG $PCP_PS_ALL_FLAGS | grep '[p]mlogger.* -c /dev/null -L' >/dev/null
+    then
+	break
+    fi
+    sleep 1
+    i=`expr $i + 1`
+done
 
 _report
 echo

diff --git a/qa/GNUmakefile b/qa/GNUmakefile
@@ -24,14 +24,16 @@ ifeq "$(HAVE_PYTHON)" "true"
 SUBDIRS += secure mic haproxy lio prometheus
 endif
 
+ifeq "$(ENABLE_SELINUX)" "true"
+SELINUX_PCPQA = pcpqa.pp
+else
+SELINUX_PCPQA =
+endif
+
 # No implicit rules here, thank you
 #
 .SUFFIXES:
 
-# and do nothing if NNN.out is older than NNN
-#
-%.out: %
-
 default_pcp default: qa_outfiles localconfig $(SUBDIRS)
 	$(SUBDIRS_MAKERULE)
 
@@ -45,7 +47,8 @@ LDIRT += 051.work 134.full.* \
 	 *.bak *.bad *.core *.full *.notrun *.raw *.o core a.out core.* \
 	 *.log eek* urk* so_locations tmp.* gmon.out oss.qa.tar.gz \
 	 *.full.ok *.new rc_cron_check.clean \
-	  make.out qa_hosts qa_outfiles stap_*.ko localconfig check.time
+	 make.out qa_hosts qa_outfiles stap_*.ko localconfig check.time \
+	 pcpqa.pp pcpqa.fc pcpqa.if
 	# these ones are links to the real files created when the associated
 	# test is run
 LDIRT += $(shell [ -f .gitignore ] && grep '\.out$$' .gitignore)
@@ -66,6 +69,10 @@ COMMON = common.check common.config common.filter \
 OTHERS = group qa_hosts.master README sanity.coverage \
 	 $(shell echo valgrind-suppress* helgrind-suppress*)
 
+ifeq "$(ENABLE_SELINUX)" "true"
+OTHERS += pcpqa.te pcpqa.pp
+endif
+
 DOTOUTFILES = $(shell [ -f qa_outfiles ] && cat qa_outfiles || ls -1 | grep '^[0-9]' | grep -v '^[0-9][0-9][0-9]$$' | grep -v '^[0-9][0-9][0-9][0-9]$$' | egrep -v '^[0-9][0-9][0-9]*\.(full|out\.bad|notrun|work)' | tee qa_outfiles)
 
 qa_outfiles:
@@ -90,8 +97,18 @@ endif
 
 include $(BUILDRULES)
 
+# and do nothing if NNN.out is older than NNN
+#
+%.out: %
+
 debug-me:
 	@echo TESTS=$(TESTS)
 	@echo SRCFILES=$(SRCFILES)
 	@echo CONFFILES=$(CONFFILES)
 	@echo SUBDIRS=$(SUBDIRS)
+	@echo SELINUX_PCPQA=$(SELINUX_PCPQA)
+
+default_pcp default setup:	$(SELINUX_PCPQA)
+pcpqa.pp:	pcpqa.te
+	make -f /usr/share/selinux/devel/Makefile pcpqa.pp
+
diff --git a/qa/check.callback.sample b/qa/check.callback.sample
@@ -66,8 +66,10 @@ then
     echo "--- start pre-check ---"
     ./941 --check $1
     ./870 --check $1
-    $sudo test -f $audit && $sudo cp /dev/null $audit
+    $sudo egrep '^type=(AVC|SELINUX).*pcp' $audit >$1.pre-avc 2>/dev/null
+    echo "before `wc -l <$1.pre-avc` AVC errors"
     echo "--- end pre-check ---"
+    exit
 fi
 
 # CONFIGURE-ME
@@ -195,12 +197,16 @@ fi
 # Check audit log for any Security Enhanced Linux access denials
 # related to PCP ...
 #
-$sudo egrep '^type=(AVC|SELINUX).*pcp' $audit > $tmp.out 2>/dev/null
+$sudo egrep '^type=(AVC|SELINUX).*pcp' $audit 2>/dev/null >$1.post-avc
+diff $1.pre-avc $1.post-avc \
+| sed -n -e '/> /s///p' >$tmp.out
 if [ -s $tmp.out ]
 then
-    echo "check.callback: fail: SELinux/AVC denials"
+    echo "check.callback: fail: new SELinux/AVC denials"
     cat $tmp.out
+    echo "after `wc -l <$1.post-avc` AVC errors"
     $abort && status=1
 fi
+rm -f $1.pre-avc $1.post-avc
 
 exit
diff --git a/qa/common b/qa/common
@@ -929,4 +929,39 @@ else
 	esac
 	x=`dirname $x`
     done
+
+    # if we have selinux, and it is enforcing then make sure the pcpqa
+    # policy module is installed
+    #
+    if which seinfo >/dev/null 2>&1
+    then
+	case `getenforce`
+	in
+	    Enforcing)
+		if $sudo semodule -l | grep pcpqa >/dev/null
+		then
+		    # nothing to do, module already installed
+		    # ... to force a re-install, e.g. after the module
+		    # has been updated, do
+		    # $ sudo semodule -r pcpqa
+		    # first
+		    #
+		    :
+		else
+		    $sudo semodule -i pcpqa.pp
+		fi
+		# and now any selinux booleans that help
+		#
+		for bool in pcp_read_generic_logs
+		do
+		    if $sudo getsebool $bool | grep ' --> off' >/dev/null
+		    then
+			$sudo setsebool $bool true
+		    fi
+		done
+		;;
+	    *)
+		;;
+	esac
+    fi
 fi
diff --git a/qa/pcpqa.te b/qa/pcpqa.te
@@ -0,0 +1,15 @@
+
+module pcpqa 1.0;
+
+require {
+	type user_home_t;
+	type pcp_pmcd_t;
+	class file { map write };
+}
+
+#============= pcp_pmcd_t ==============
+
+#type=AVC msg=audit(qa/255): avc:  denied  { map } for  pid=10604 comm="broken_pmda_2_0" path="/home/kenj/src/pcp/qa/pmdas/broken/broken_pmda_2_0" dev="dm-0" ino=295211 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
+#type=AVC msg=audit(qa/255): avc:  denied  { map } for  pid=10701 comm="broken_pmda_2_0" path="/home/kenj/src/pcp/qa/pmdas/broken/broken_pmda_2_0" dev="dm-0" ino=295211 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
+#type=AVC msg=audit(qa/457): avc:  denied  { write } for  pid=31411 comm="457.pipe" name="457.pipe.pid" dev="dm-0" ino=295231 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
+allow pcp_pmcd_t user_home_t:file { map write };
diff --git a/src/pmview/GNUmakefile b/src/pmview/GNUmakefile
@@ -24,7 +24,7 @@ HEADERS = $(CLASSES) modobj.h
 GENERATED = gram.cpp lex.cpp 
 LFILES = lex.l
 YFILES = gram.y
-LDIRT = $(COMMAND) $(WRAPPER) $(XMLFILE) $(GENERATED) gram.h y.tab.? images
+LDIRT = $(COMMAND) $(WRAPPER) $(XMLFILE) $(GENERATED) gram.h gram.c images
 
 SUBDIRS = front-ends
 
@@ -43,11 +43,11 @@ build-me:: $(SUBDIRS)
 lex.cpp:	lex.l
 	$(LEX) -t lex.l > $@
 
-gram.h y.tab.c:	gram.y
-	$(YACC) -d gram.y && cp y.tab.h gram.h
+gram.c gram.h:	gram.y
+	$(YACC) -d -b `basename $< .y` $< && mv gram.tab.h gram.h && mv gram.tab.c gram.c
 
-gram.cpp:	y.tab.c
-	cp y.tab.c $@
+gram.cpp:	gram.c
+	cp gram.c $@
 
 lex.o:	gram.h
 

diff --git a/src/selinux/README b/src/selinux/README
@@ -55,6 +55,22 @@ rather than the singular form
 
 as reported by audit2allow -m.
 
+Also, some of the "require" elements may be optional (not supported
+on all versions of selinux), so watch out for things like
+
+    @PCP_TRACEFS@
+
+which becomes
+
+    type tracefs_t;
+
+or
+
+    <nothing>
+
+and the corresponding conditional rules, like @PCP_TRACEFS_FS_RULE@,
+@PCP_TRACEFS_DIR_RULE@ and @PCP_TRACEFS_FILE_RULE@
+
 Now go further down src/selinux/pcpupstream.te.in and add the
 "allow" clause from audit2allow -m, prefixed by the full text of
 the matching AVC line from audit.log as a comment, so something like:

diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
@@ -121,7 +121,8 @@ allow pcp_pmcd_t user_home_t:file { execute execute_no_trans };
 allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };
 
 #type=AVC msg=audit(XXX.7): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
-allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read };
+#type=AVC msg=audit(XXX.68): avc:  denied  { map } for  pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
+allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read @PCP_HOSTNAME_EXEC_MAP@ };
 
 #type=AVC msg=audit(XXX.8): avc:  denied  { getattr open read unlink } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=fifo_file permissive=0
 allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131
@@ -187,7 +188,8 @@ allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_tra
 #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
 #type=AVC msg=audit(YYY.30): avc:  denied  { read } for  pid=22090 comm="pmdaperfevent" name="events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
 #type=AVC msg=audit(YYY.31): avc:  denied  { open } for  pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
-# @PCP_TRACEFS_DIR_RULE@
+#type=AVC msg=audit(YYY.88): avc:  denied  { read } for  pid=2023 comm="pmdakvm" name="kvm" dev="tracefs" ino=18541 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
+@PCP_TRACEFS_DIR_RULE@
 
 #type=AVC msg=audit(YYY.32): avc:  denied  { read } for  pid=22090 comm="pmdaperfevent" name="id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
 #type=AVC msg=audit(YYY.33): avc:  denied  { open } for  pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0