Bug 1381301

Summary: /var/run/pcp should be owned by the component
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: pcpAssignee: Nathan Scott <nathans>
Status: CLOSED ERRATA QA Contact: Michal Kolar <mkolar>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: brolley, fche, jzarsky, lberk, mbenitez, mgoodwin, mkolar, mprchlik, nathans, qe-baseos-tools-bugs
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcp-3.11.8-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1381296 Environment:
Last Closed: 2017-08-01 18:29:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2016-10-03 15:49:20 UTC 
+++ This bug was initially created as a clone of Bug #1381296 +++

Description of problem:
* there are many scripts which can create /var/run/pcp directory
* unfortunately SELinux policy is not able to confine all of them
* result is that /var/run/pcp gets created with an incorrect label
* if the directory was owned by some of pcp* packages, it would be created by rpm/yum during the RPM installation and it would be labeled correctly

Version-Release number of selected component (if applicable):
pcp-3.11.3-4.el7.x86_64

How reproducible:
* always

Steps to Reproduce:
# ls -dZ /var/run/pcp/
ls: cannot access /var/run/pcp/: No such file or directory
# yum -y -q install pcp\*
# ls -dZ /var/run/pcp/
drwxrwxr-x. pcp pcp unconfined_u:object_r:var_run_t:s0 /var/run/pcp/
# restorecon -Rv /var/run/pcp/
restorecon reset /var/run/pcp context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pcp_var_run_t:s0
#

Actual results:
# rpm -qf /var/run/pcp/
file /var/run/pcp is not owned by any package
#

Expected results:
* /var/run/pcp is owned by some pcp* package
Comment 2 Milos Malik 2017-04-05 13:18:16 UTC 
The situation changed a bit since the bug was filed:

# rpm -qa pcp\*
pcp-3.11.8-3.el7.x86_64
pcp-conf-3.11.8-3.el7.x86_64
pcp-libs-3.11.8-3.el7.x86_64
pcp-selinux-3.11.8-3.el7.x86_64
# rpm -qf /var/run/pcp
pcp-3.11.8-3.el7.x86_64
#

The /var/run/pcp directory does not exist after installation of above-mentioned packages.

After the start of pmcd or pmproxy or pmwebd service the /var/run/pcp directory is present, but it is labeled incorrectly:

# ls -dZ /var/run/pcp
drwxrwxr-x. pcp pcp system_u:object_r:var_run_t:s0   /var/run/pcp
#

If the directory was created during the pcp* packages installation, it would be labeled correctly by yum or rpm.
Comment 3 Nathan Scott 2017-04-07 04:49:49 UTC 
| The /var/run/pcp directory does not exist after installation of
| above-mentioned packages.

FWLIW, I just did a rpm erase, rm -fr /var/run/pcp, and fresh rpm install and that directory *does* exist.  Bizarre.  It must be tempfs related somehow.

No matter - Lukas has come up with another way to fix this ... we'll want to backport his recent commit:

commit fb56481639ff5b73792a20d34dff3ac4e191a907
Author: Lukas Berk <lberk>
Date:   Thu Apr 6 15:36:18 2017 -0400

    RHBZ: 1381301 restore context to pcp_var_run_t after pmcd start
   
    pmcd makes /var/run/pcp on the fly, which, gives /var/run/pcp
    var_run_t context (despite the default policy being pcp_var_rum_t).
    If the command exists, just run restorecon on the directory after we
    make it.
Comment 4 Michal Kolar 2017-05-24 12:10:34 UTC 
Reproduced against pcp-3.11.3-4.el7 and verified against pcp-3.11.8-4.el7.
Comment 5 errata-xmlrpc 2017-08-01 18:29:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1968