Bug 1381296

Summary: /var/run/pcp should be owned by the component
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: pcpAssignee: pcp-maint <pcp-maint>
Status: CLOSED WONTFIX QA Contact: qe-baseos-tools-bugs
Severity: medium Docs Contact:
Priority: medium    
Version: 6.8CC: brolley, fche, lberk, mbenitez, mgoodwin, mmalik, myllynen, nathans
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1381301 (view as bug list) Environment:
Last Closed: 2017-12-06 10:18:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2016-10-03 15:38:21 UTC 
Description of problem:
* there are many scripts which can create /var/run/pcp directory
* unfortunately SELinux policy is not able to confine all of them
* result is that /var/run/pcp gets created with an incorrect label
* if the directory was owned by some of pcp* packages, it would be created by rpm/yum during the RPM installation and it would be labeled correctly

Version-Release number of selected component (if applicable):
pcp-3.10.9-6.el6.x86_64

How reproducible:
* always

Steps to Reproduce:
# ls -dZ /var/run/pcp/
ls: cannot access /var/run/pcp/: No such file or directory
# chkconfig pmcd on
# service pmcd start
Starting pmcd ... 
# service pmcd status
Checking for pmcd: running
# ls -dZ /var/run/pcp/
drwxrwxr-x. pcp pcp unconfined_u:object_r:var_run_t:s0 /var/run/pcp/
# restorecon -Rv /var/run/pcp/
restorecon reset /var/run/pcp context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pcp_var_run_t:s0
#

Actual results:
# rpm -qf /var/run/pcp/
file /var/run/pcp is not owned by any package
#

Expected results:
* /var/run/pcp is owned by some pcp* package
Comment 1 Nathan Scott 2016-10-03 23:20:56 UTC 
Hi Milos,

(In reply to Milos Malik from comment #0)
> [...]
> * if the directory was owned by some of pcp* packages, it would be created
> by rpm/yum during the RPM installation and it would be labeled correctly

Would having this directory installed by RPM but tagged as %ghost be sufficient?

We stopped installing this directory (via pcp RPM) several years ago due to the switch to tmpfs for /var/run FWIW, but AIUI using %ghost may be an alternative.

thanks!
Comment 9 mbenitez 2017-03-08 19:40:08 UTC 
Moving out to 6.10
Comment 11 Jan Kurik 2017-12-06 10:18:30 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/