HEX
Server: LiteSpeed
System: Linux CentOS-79-64-minimal 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: vishn3436 (5293)
PHP: 8.0.15
Disabled: NONE
$ pwd: /var/lib/pcp/selinux/
Upload Files
File: //var/lib/pcp/selinux/pcpupstream.te
module pcpupstream 4.3.2;

require {
        attribute domain;
        attribute userdomain;
        attribute file_type;
        attribute pcp_domain;
	type pcp_pmcd_t;
	type tmp_t;
	type init_t;
	type default_t;
	type gpmctl_t;
	type pcp_pmlogger_t;
	type pcp_pmlogger_exec_t;
	type pcp_var_lib_t;
	type pcp_log_t;
	type pcp_pmie_t;
	type pcp_pmproxy_t;
	type pcp_pmmgr_t;
	type pcp_tmp_t;
        type pcp_pmwebd_t;
	type pcp_pmie_exec_t; # pmdasummary
	type websm_port_t; # pmda.prometheus
        type system_cronjob_t;
        type user_home_t;
        type user_tmp_t;
        type debugfs_t;
        type nsfs_t; # filesys.used
        type unreserved_port_t;
        type hostname_exec_t;
        type tracefs_t;
        type haproxy_t;
        type haproxy_var_lib_t;
        type sysctl_fs_t; #RHBZ1505888
        type sysfs_t; #RHBZ1545245
        type modules_object_t; # pcp.lio, pcp.bcc
        type setfiles_exec_t;
        type mdadm_exec_t;
        type ndc_exec_t;
        type proc_mdstat_t;
        type numad_t;
        type glusterd_log_t;
        type sysctl_irq_t; #pmda.bcc
        type unconfined_t; #RHBZ1443632
        type unconfined_service_t;
        type configfs_t; #pcp.lio
        type ldconfig_exec_t;
        type sysctl_net_t;
        type proc_net_t; #RHBZ1517656
        type fsadm_exec_t;
	type kernel_t;
	type kmsg_device_t;
        type proc_kcore_t;
        type su_exec_t;
	
	
        class sem { unix_read associate getattr read };
	class lnk_file { read getattr };
	class file { append create execute execute_no_trans getattr setattr ioctl lock open read write unlink map };
	class dir { add_name open read search write getattr lock ioctl };
	class unix_stream_socket connectto;
	class capability { kill dac_override sys_ptrace net_admin chown sys_chroot ipc_lock ipc_owner sys_resource fowner sys_rawio fsetid };
	
	class cap_userns sys_ptrace; # pmdaproc
	class chr_file { open write };
	class fifo_file { getattr read open unlink lock ioctl }; # qa/455
	class process { signull signal execmem setrlimit ptrace }; #RHBZ1443632
	class sock_file { getattr write }; #RHBZ1449671, RHBZ1449671
	class tcp_socket { name_bind name_connect };
	class shm { unix_read associate getattr read };
	class filesystem mount;
	class blk_file { ioctl open read };
	class msgq { unix_read };
        class unix_dgram_socket { sendto };
        class dbus { send_msg };
        class bpf { map_create map_read map_write prog_load prog_run };
	class system { module_request };
}

#============= init_t ==============
# type=AVC msg=audit(YYY.1): avc:  denied  { read } for  pid=21999 comm="pmcd" name="pmcd" dev="dm-1" ino=936441 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_log_t:s0 tclass=dir permissive=0
allow init_t pcp_log_t:dir read;

allow init_t pcp_log_t:file getattr;

# type=AVC msg=audit(YYY.2): avc:  denied  { getattr } for  pid=21999 comm="pmcd" path="/var/lib/pcp/pmns/root" dev="dm-1" ino=945382 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0
allow init_t pcp_var_lib_t:dir { add_name read write };

#type=AVC msg=audit(YYY.3): avc:  denied  { execute } for  pid=21999 comm="pmcd" name="Rebuild" dev="dm-1" ino=937158 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=0
# execute

allow init_t pcp_var_lib_t:file { append create execute execute_no_trans getattr ioctl open read write };

allow init_t pcp_var_lib_t:lnk_file read;

# type=AVC msg=audit(YYY.4): avc:  denied  { open } for  pid=21901 comm="pmcd" path="/var/tmp/pcp.sQReBLg6R/pcp.env.path" dev="dm-1" ino=930323 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
#
allow init_t tmp_t:file open;

#type=USER_AVC msg=audit(YYY.5): pid=775 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14778 spid=1 tpid=19555 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
allow init_t system_cronjob_t:dbus send_msg;


#============= pcp_pmcd_t ==============

#SYN AVC for testing
#type=AVC msg=audit(XXX.4): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
allow pcp_pmcd_t user_home_t:file { execute execute_no_trans };

#type=AVC msg=audit(XXX.6): avc:  denied  { append getattr ioctl open read write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0
allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write };

#type=AVC msg=audit(XXX.7): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
#type=AVC msg=audit(XXX.68): avc:  denied  { map } for  pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read map };

#type=AVC msg=audit(XXX.8): avc:  denied  { getattr open read unlink } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=fifo_file permissive=0
allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131

#type=AVC msg=audit(XXX.9): avc:  denied  { getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file permissive=0
allow pcp_pmcd_t proc_kcore_t:file getattr;

#type=AVC msg=audit(YYY.11): avc:  denied  { sys_chroot kill sys_resource } for  pid=25873 comm="pmdalinux" capability=18  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
#type=AVC msg=audit(YYY.87): avc:  denied  { chown } for  pid=8999 comm="pmdasimple" capability=0  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
allow pcp_pmcd_t self:capability { sys_chroot kill sys_resource ipc_lock chown };


#type=AVC msg=audit(YYY.12): avc:  denied  { read } for  pid=29112 comm="pmdalinux" dev="nsfs" ino=4026532454 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
allow pcp_pmcd_t nsfs_t:file { read open };

#type=AVC msg=audit(YYY.13): avc:  denied  { name_bind } for  pid=7079 comm="pmdasimple" src=5650 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
#type=AVC msg=audit(YYY.14): avc:  denied  { name_connect } for  pid=29238 comm="pmcd" dest=5650 scontex =system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect };

#type=AVC msg=audit(YYY.15): avc:  denied  { name_connect } for  pid=13816 comm="python3" dest=9090 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0
allow pcp_pmcd_t websm_port_t:tcp_socket name_connect; # pmda.prometheus

#type=AVC msg=audit(YYY.21): avc:  denied  { execute } for  pid=8648 comm="sh" name="8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.22): avc:  denied  { execute_no_trans } for  pid=8648 comm="sh" path="/tmp/8641" dev="tmpfs" ino=246964 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmp_t:s0 tclass=file permissive=0
allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans map };

#type=AVC msg=audit(YYY.23): avc:  denied  { getattr } for  pid=8656 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.24): avc:  denied  { execute } for  pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.25): avc:  denied  { read } for  pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.26): avc:  denied  { open } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.27): avc:  denied  { execute_no_trans } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };

#type=AVC msg=audit(YYY.28): avc:  denied  { mount } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
allow pcp_pmcd_t tracefs_t:filesystem mount;

#type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
#type=AVC msg=audit(YYY.30): avc:  denied  { read } for  pid=22090 comm="pmdaperfevent" name="events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
#type=AVC msg=audit(YYY.31): avc:  denied  { open } for  pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events" dev="tracefs" ino=176 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
#type=AVC msg=audit(YYY.88): avc:  denied  { read } for  pid=2023 comm="pmdakvm" name="kvm" dev="tracefs" ino=18541 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
allow pcp_pmcd_t tracefs_t:dir { search read open };

#type=AVC msg=audit(YYY.32): avc:  denied  { read } for  pid=22090 comm="pmdaperfevent" name="id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.33): avc:  denied  { open } for  pid=22090 comm="pmdaperfevent" path="/sys/kernel/debug/tracing/events/gfs2/gfs2_glock_state_change/id" dev="tracefs" ino=321619 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=file permissive=0
allow pcp_pmcd_t tracefs_t:file { getattr read open append write };

#type=AVC msg=audit(YYY.37): avc:  denied  { getattr } for  pid=YYYY comm="pmdaproc" path="/dev/gpmctl" dev="devtmpfs" ino=19750 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
allow pcp_pmcd_t gpmctl_t:sock_file getattr;

#type=AVC msg=audit(XXX.16): avc:  denied  { write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:haproxy_var_lib_t:s0 tclass=sock_file permissive=0
allow pcp_pmcd_t haproxy_var_lib_t:sock_file write;

#type=AVC msg=audit(YYY.34): avc:  denied  { write } for  pid=2967 comm="pmdaxfs" name="stats_clear" dev="proc" ino=87731 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
#RHBZ1505888
allow pcp_pmcd_t sysctl_fs_t:file write;

#type=AVC msg=audit(...): avc:  denied  { map } for  pid=NNN comm="ldconfig" path="/usr/sbin/ldconfig" dev="dm-1" ino=1052382 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
allow pcp_pmcd_t ldconfig_exec_t:file map;

#RHBZ1545245
#type=AVC msg=audit(XXX.23): avc:  denied  { write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
allow pcp_pmcd_t sysfs_t:dir write;

# pmda.bcc
#type=AVC msg=audit(XXX.24): avc:  denied  { read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=lnk_file permissive=0
allow pcp_pmcd_t modules_object_t:lnk_file read;

#type=AVC msg=audit(XXX.26): avc:  denied  { execute execute_no_trans open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=file permissive=0
allow pcp_pmcd_t mdadm_exec_t:file { execute execute_no_trans open read };

allow pcp_pmcd_t ndc_exec_t:file execute;

#type=AVC msg=audit(XXX.27): avc:  denied  { getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file permissive=0
allow pcp_pmcd_t proc_mdstat_t:file { getattr open read };

#type=AVC msg=audit(YYY.35): avc:  denied  { unix_read } for  pid=1423 comm="pmdalinux" key=-559038737  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=msgq permissive=0
#type=AVC msg=audit(YYY.36): avc:  denied  { unix_read } for  pid=1423 comm="pmdalinux" key=-559038737  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=msgq permissive=0
allow pcp_pmcd_t numad_t:msgq unix_read;

#type=AVC msg=audit(XXX.28): avc:  denied  { open read write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=file permissive=0
allow pcp_pmcd_t glusterd_log_t:file { open read write };

#pmda.bcc
#type=AVC msg=audit(XXX.34): avc:  denied  { execmem setrlimit ptrace } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=process permissive=0
allow pcp_pmcd_t self:process { execmem setrlimit ptrace };

#type=AVC msg=audit(XXX.35): avc:  denied  { search } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0
allow pcp_pmcd_t sysctl_irq_t:dir { search };

#RHBZ1633211, RHBZ1693332
allow pcp_pmcd_t self:bpf { map_create map_read map_write prog_load prog_run };

#type=AVC msg=audit(XXX.41): avc:  denied  { signull } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=process permissive=0
allow pcp_pmcd_t kernel_t:process signull;

# pmda-bcc needs the ability to read addresses in /proc/kallsyms


#RHBZ1690542
#type=AVC msg=audit(XXX.67): avc:  denied  { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
allow pcp_pmcd_t kernel_t:system module_request;

# type=AVC msg=audit(YYY.83): avc: denied { execute } for pid=19060 comm="zimbraprobe" name="su" dev="dm-0" ino=26416761 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
#pmdazimbra
allow pcp_pmcd_t su_exec_t:file { execute };

#============= pcp_pmlogger_t ==============
#type=AVC msg=audit(XXX.44): avc:  denied  { open write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=0
allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };

# type=AVC msg=audit(YYY.43): avc:  denied  { sys_ptrace } for  pid=21962 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability
#type=AVC msg=audit(XXX.45): avc:  denied  { kill } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
allow pcp_pmlogger_t self:capability { sys_ptrace fowner fsetid kill };

## type=AVC msg=audit(YYY.44) : avc:  denied  { signal } for  pid=28414 comm=pmsignal scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
allow pcp_pmlogger_t unconfined_t:process signal;

## type=AVC msg=audit(YYY.85): avc: denied { signal } for pid=31205 comm="pmsignal" scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
allow pcp_pmlogger_t unconfined_service_t:process signal;

#type=AVC msg=audit(XXX.68): avc: denied { setattr unlink } for pid=29153 comm="mv" name="pmlogger_check.log" dev="dm-0" ino=926794 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
allow pcp_pmlogger_t user_tmp_t:file { setattr unlink };

#type=AVC msg=audit(XXX.72): avc:  denied  { execute } for  pid=9634 comm="pmlogger_daily" name="setfiles" dev="dm-0" ino=34500334 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0
allow pcp_pmlogger_t setfiles_exec_t:file execute;

#============= pcp_pmie_t ==============
#type=AVC msg=audit(XXX.49): avc:  denied  { execute execute_no_trans getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read map };


#type=AVC msg=audit(YYY.50): avc:  denied  { sys_ptrace } for  pid=30881 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
allow pcp_pmie_t self:capability { chown fowner dac_override kill net_admin sys_ptrace };

#RHBZ1517656
#type=AVC msg=audit(XXX.50): avc:  denied  { read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
allow pcp_pmie_t proc_net_t:file read;

#RHBZ1635394
#type=AVC msg=audit(YYY.66): avc:  denied  { sys_ptrace } for  pid=15683 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=cap_userns permissive=0
allow pcp_pmie_t self:cap_userns sys_ptrace;

#RHBZ1623988
#type=AVC msg=audit(YYY.65): avc:  denied  { signal } for  pid=3106 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
allow pcp_pmie_t unconfined_t:process signal;

## type=AVC msg=audit(YYY.86): avc: denied { signal } for pid=23951 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
allow pcp_pmie_t unconfined_service_t:process signal;

#============= pmda-lio ==============
#type=AVC msg=audit(XXX.55): avc:  denied  { open read search write } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0
allow pcp_pmcd_t configfs_t:dir { open read search write };

#type=AVC msg=audit(XXX.56): avc:  denied  { getattr ioctl open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=0
allow pcp_pmcd_t configfs_t:file { getattr ioctl open read };

#type=AVC msg=audit(XXX.57): avc:  denied  { getattr read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=lnk_file permissive=0
allow pcp_pmcd_t configfs_t:lnk_file { getattr read };

#type=AVC msg=audit(XXX.58): avc:  denied  { execute execute_no_trans getattr open read } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
allow pcp_pmcd_t ldconfig_exec_t:file { execute execute_no_trans getattr open read };

#============= pcp_pmproxy_t ==============
#type=AVC msg=audit(YYY.67) : avc: denied { net_admin } for pid=6669 comm=pmproxy capability=net_admin scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability
allow pcp_pmproxy_t self:capability { net_admin dac_override };

#type=AVC msg=audit(YYY.68) : avc: denied { read } for pid=6669 comm=pmproxy name=disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
#type=AVC msg=audit(YYY.69) : avc: denied { open } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
#type=AVC msg=audit(YYY.70) : avc: denied { getattr } for pid=9669 comm=pmproxy path=/proc/sys/net/ipv6/conf/all/disable_ipv6 dev="proc" ino=9994 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
allow pcp_pmproxy_t sysctl_net_t:file { getattr open read };

#type=AVC msg=audit(YYY.72): avc:  denied  { read } for  pid=28833 comm="pmproxy" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
#RHBZ1517656
allow pcp_pmproxy_t proc_net_t:file read;

#============= pcp_pmmgr_t ==============

#type=AVC msg=audit(YYY.73): avc:  denied  { name_bind } for  pid=13114 comm="pmlogger" src=4332 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind;

#type=AVC msg=audit(XXX.64): avc:  denied  { execute execute_no_trans open read getattr } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
allow pcp_pmmgr_t ldconfig_exec_t:file { execute execute_no_trans open read getattr };

#type=AVC msg=audit(XXX.69): avc:  denied  { dac_override } for  pid=3767 comm="pmmgr" capability=1  scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:system_r:pcp_pmmgr_t:s0 tclass=capability permissive=0
allow pcp_pmmgr_t self:capability dac_override;

#============= pmda-smart ==============

#type=AVC msg=audit(YYY.75): avc:  denied  { read } for  pid=8678 comm="sh" name="smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
#type=AVC msg=audit(YYY.76): avc:  denied  { open } for  pid=8678 comm="sh" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
#type=AVC msg=audit(YYY.77): avc:  denied  { execute_no_trans } for  pid=8678 comm="sh" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
#type=AVC msg=audit(YYY.78): avc:  denied  { execute } for  pid=8678 comm="sh" name="smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
#type=AVC msg=audit(YYY.79): avc:  denied  { getattr } for  pid=4770 comm="sh" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
#type=AVC msg=audit(YYY.80): avc:  denied  { map } for  pid=8678 comm="smartctl" path="/usr/sbin/smartctl" dev="dm-1" ino=2249815 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=1
#type=AVC msg=audit(YYY.81): avc:  denied  { sys_rawio } for  pid=8678 comm="smartctl" capability=17  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1

allow pcp_pmcd_t fsadm_exec_t:file { execute execute_no_trans getattr open read map };
 
#============= pmda-nvidia ==============
#type=AVC msg=audit(YYY.83): avc: denied { map } for pid=7034 comm="pmdanvidia" path="/usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
#type=AVC msg=audit(YYY.84): avc: denied { execute } for pid=19828 comm="pmdanvidia" path="//usr/lib64/libnvidia-ml.so" dev="dm-2" ino=16267329 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0
allow pcp_pmcd_t default_t:file { map execute };

#type=AVC msg=audit(XXX.66): avc:  denied  { sys_rawio } for  pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0
allow pcp_pmcd_t self:capability sys_rawio;

#============= pmda-rpm ==============
#type=AVC msg=audit(YYY.89): avc:  denied  { map } for  pid=4969 comm="pmdarpm" path="/var/lib/rpm/Name" dev="dm-0" ino=519186 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=0


#============= pmda-libvirt ==============
#type=AVC msg=audit(YYY.90): avc:  denied  { write } for  pid=30922 comm="python3" name="libvirt-sock-ro" dev="tmpfs" ino=25845 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=0


# permit pcp_pmcd_t domain to read all dirs,files and fifo_file in attribute file_type
files_list_non_auth_dirs(pcp_domain)
files_read_all_files(pcp_pmcd_t)
files_read_all_files(pcp_pmie_t)
files_read_all_files(pcp_pmlogger_t)
files_read_all_files(pcp_pmmgr_t)
files_read_all_files(pcp_pmproxy_t)
files_read_all_files(pcp_pmwebd_t)

allow pcp_domain file_type:fifo_file read_fifo_file_perms;

# permit pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
allow pcp_domain domain:shm r_sem_perms;
allow pcp_domain domain:sem r_shm_perms;
allow pcp_domain userdomain:shm r_sem_perms;
allow pcp_domain userdomain:sem r_shm_perms;

# permit pcp_domain stream connect to all domains
allow pcp_domain domain:unix_stream_socket connectto;

# permit pcp_domain to connect to all ports.
corenet_tcp_connect_all_ports(pcp_domain)

# all pcp_domain read access to all maps
@ Telegram