Bug 1901957
Summary: | Add perf_event class to selinux-policy | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Zdenek Pytela <zpytela> | |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | rawhide | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1901958 (view as bug list) | Environment: | ||
Last Closed: | 2020-12-15 20:32:27 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1901958 |
Description
Zdenek Pytela
2020-11-26 13:32:23 UTC
Steps to Reproduce: 1) get a Fedora rawhide machine (targeted policy is active) 2) # semodule -c -E base 3) edit the base.cil file, add definition of the perf_event class and its permissions 4) # semodule -i base.cil 5) # perf record -o /dev/null echo test Following SELinux denial appears in enforcing mode: ---- type=PROCTITLE msg=audit(11/27/2020 04:28:57.355:404) : proctitle=perf record -o /dev/null echo test type=SYSCALL msg=audit(11/27/2020 04:28:57.355:404) : arch=x86_64 syscall=perf_event_open success=no exit=EACCES(Permission denied) a0=0x55ad1b744f40 a1=0x5bd a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1468 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/27/2020 04:28:57.355:404) : avc: denied { open } for pid=1468 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0 ---- Following SELinux denials appear in permissive mode: ---- type=PROCTITLE msg=audit(11/27/2020 04:30:06.293:406) : proctitle=perf record -o /dev/null echo test type=SYSCALL msg=audit(11/27/2020 04:30:06.293:406) : arch=x86_64 syscall=perf_event_open success=yes exit=5 a0=0x7ffca9094c10 a1=0xffffffff a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/27/2020 04:30:06.293:406) : avc: denied { cpu } for pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 type=AVC msg=audit(11/27/2020 04:30:06.293:406) : avc: denied { open } for pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 ---- type=PROCTITLE msg=audit(11/27/2020 04:30:06.295:407) : proctitle=perf record -o /dev/null echo test type=SYSCALL msg=audit(11/27/2020 04:30:06.295:407) : arch=x86_64 syscall=perf_event_open success=no exit=ENOENT(No such file or directory) a0=0x55647ebc8f40 a1=0x5c1 a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/27/2020 04:30:06.295:407) : avc: denied { kernel } for pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 ---- type=PROCTITLE msg=audit(11/27/2020 04:30:06.295:408) : proctitle=perf record -o /dev/null echo test type=MMAP msg=audit(11/27/2020 04:30:06.295:408) : fd=5 flags=MAP_SHARED type=SYSCALL msg=audit(11/27/2020 04:30:06.295:408) : arch=x86_64 syscall=mmap success=yes exit=139757389082624 a0=0x0 a1=0x81000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/27/2020 04:30:06.295:408) : avc: denied { read } for pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 ---- type=PROCTITLE msg=audit(11/27/2020 04:30:06.297:409) : proctitle=perf record -o /dev/null echo test type=SYSCALL msg=audit(11/27/2020 04:30:06.297:409) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x80082407 a2=0x7ffca9094c18 a3=0x1 items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/27/2020 04:30:06.297:409) : avc: denied { write } for pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 ---- (In reply to Milos Malik from comment #1) > 2) # semodule -c -E base > 3) edit the base.cil file, add definition of the perf_event class and its > permissions > 4) # semodule -i base.cil Actually, you can replace these steps with just: 2) (echo '(class perf_event (open cpu kernel tracepoint read write))'; echo '(classorder (unordered perf_event))') >perf_event.cil 3) semodule -i perf_event.cil If the root user is confined (sysadm_*) then SELinux denials look this way: ---- type=AVC msg=audit(11/27/2020 11:58:58.297:982) : avc: denied { open } for pid=10805 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=perf_event permissive=0 ---- I've submitted 3 Fedora PRs to add the perf_event support to policy: https://github.com/fedora-selinux/selinux-policy/pull/489 https://github.com/fedora-selinux/selinux-policy/pull/491 https://github.com/fedora-selinux/selinux-policy/pull/491 The unified https://github.com/fedora-selinux/selinux-policy/pull/489 PR was tested with a zpytela/selinux-policy copr build on F34 and the following tests pass without a related AVC: selinux/selinux-policy/perf_event-and-related pcp/PMDAs/perfevent pcp/Install/sos-report |