Description of problem: There's been great efforts in upstream to provide SELinux compatibility for PCP PMDAs. However, the current approach is all-or-nothing meaning that installing pcp-selinux will drop SELinux protections for any supported PMDA even if none or only one is needed. It would be nice if SELinux booleans would be available to control the SELinux / PMDA restrictions, on SELinux-enabled systems PMDA Install/Remove scripts could transparently enable/disable these (and on non-SELinux ignore them). This would make the system more secure by not allowing access from pmcd to any other component except for which have been enabled by the administrator. Thanks.
Discussed in pcp engr team. While its true that the policy package is currently "all or nothing" it is still appropriate because the PMDAs may still be used to collect metrics when not ./Install'd (local context mode).
(In reply to Nathan Scott from comment #1) > Discussed in pcp engr team. While its true that the policy package is > currently "all or nothing" it is still appropriate because the PMDAs may > still be used to collect metrics when not ./Install'd (local context mode). I won't reopen this but let me mention that enabling/disabling possible SELinux booleans from Install/Upgrade/Remove scripts would be for user convenience, naturally the booleans could be managed by the usual methods like getsebool(8)/setsebool(8) which would allow them to work in local context mode as well. Thanks.
Yep, agreed Marko. However, this is not an area we'll be focussing our engr efforts going forward. cheers.