Bug 1477609

Summary: RFE: Provide sebooleans for PCP PMDAs
Product: [Fedora] Fedora Reporter: Marko Myllynen <myllynen>
Component: pcpAssignee: Lukas Berk <lberk>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: fche, lberk, mgoodwin, nathans, pcp
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-04 01:08:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2017-08-02 13:14:57 UTC 
Description of problem:
There's been great efforts in upstream to provide SELinux compatibility for PCP PMDAs. However, the current approach is all-or-nothing meaning that installing pcp-selinux will drop SELinux protections for any supported PMDA even if none or only one is needed.

It would be nice if SELinux booleans would be available to control the SELinux / PMDA restrictions, on SELinux-enabled systems PMDA Install/Remove scripts could transparently enable/disable these (and on non-SELinux ignore them). This would make the system more secure by not allowing access from pmcd to any other component except for which have been enabled by the administrator.

Thanks.
Comment 1 Nathan Scott 2019-03-04 01:08:27 UTC 
Discussed in pcp engr team.  While its true that the policy package is currently "all or nothing" it is still appropriate because the PMDAs may still be used to collect metrics when not ./Install'd (local context mode).
Comment 2 Marko Myllynen 2019-03-04 06:47:03 UTC 
(In reply to Nathan Scott from comment #1)
> Discussed in pcp engr team.  While its true that the policy package is
> currently "all or nothing" it is still appropriate because the PMDAs may
> still be used to collect metrics when not ./Install'd (local context mode).

I won't reopen this but let me mention that enabling/disabling possible SELinux booleans from Install/Upgrade/Remove scripts would be for user convenience, naturally the booleans could be managed by the usual methods like getsebool(8)/setsebool(8) which would allow them to work in local context mode as well. Thanks.
Comment 3 Nathan Scott 2019-03-04 07:22:16 UTC 
Yep, agreed Marko.  However, this is not an area we'll be focussing our engr efforts going forward.

cheers.