Description of problem:

From STIG, CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.
It appears 2 PCP components run as such:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
system_u:system_r:unconfined_service_t:s0 pcp 2673 0.0 0.0 94688 4772 ? Ss May04 0:00 /usr/libexec/pcp/bin/pmpause
system_u:system_r:unconfined_service_t:s0 pcp 2853 0.0 0.0 94688 4744 ? Ss May04 0:00 /usr/libexec/pcp/bin/pmpause

├─pmie_farm.service
│ └─2673 /usr/libexec/pcp/bin/pmpause
├─pmlogger_farm.service
│ └─2853 /usr/libexec/pcp/bin/pmpause
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens because the executables are labeled with "bin_t", which leads to the transition from "init_t" (child of systemd when becoming a service) to "unconfined_service_t".
These 2 executables are "service entrypoints", hence need to have a proper context.

It's possible the following contexts are suitable, but I cannot tell, maybe it's too loose:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

1. chcon -t pcp_pmie_exec_t /usr/libexec/pcp/bin/pmie_farm
2. chcon -t pcp_pmlogger_exec_t /usr/libexec/pcp/bin/pmlogger_farm
   • • • • • • • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

pcp-selinux-5.3.7-7.el8

How reproducible:

Always

Steps to Reproduce:
1. Start "pmie_farm.service" and "pmlogger_farm.service"

Actual results:

"unconfined_service_t"

Expected results:

some other context