Bug 1901957

Summary: Add perf_event class to selinux-policy
Product: [Fedora] Fedora Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: rawhideCC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1901958 (view as bug list) Environment:
Last Closed: 2020-12-15 20:32:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1901958    

Description Zdenek Pytela 2020-11-26 13:32:23 UTC 
Add perf_event class to selinux-policy and update policy rules for domains requiring this access.
Comment 1 Milos Malik 2020-11-27 09:36:45 UTC 
Steps to Reproduce:
1) get a Fedora rawhide machine (targeted policy is active)
2) # semodule -c -E base
3) edit the base.cil file, add definition of the perf_event class and its permissions
4) # semodule -i base.cil
5) # perf record -o /dev/null echo test

Following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(11/27/2020 04:28:57.355:404) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:28:57.355:404) : arch=x86_64 syscall=perf_event_open success=no exit=EACCES(Permission denied) a0=0x55ad1b744f40 a1=0x5bd a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1468 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:28:57.355:404) : avc:  denied  { open } for  pid=1468 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0 
----

Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.293:406) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:30:06.293:406) : arch=x86_64 syscall=perf_event_open success=yes exit=5 a0=0x7ffca9094c10 a1=0xffffffff a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.293:406) : avc:  denied  { cpu } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
type=AVC msg=audit(11/27/2020 04:30:06.293:406) : avc:  denied  { open } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.295:407) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:30:06.295:407) : arch=x86_64 syscall=perf_event_open success=no exit=ENOENT(No such file or directory) a0=0x55647ebc8f40 a1=0x5c1 a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.295:407) : avc:  denied  { kernel } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.295:408) : proctitle=perf record -o /dev/null echo test 
type=MMAP msg=audit(11/27/2020 04:30:06.295:408) : fd=5 flags=MAP_SHARED 
type=SYSCALL msg=audit(11/27/2020 04:30:06.295:408) : arch=x86_64 syscall=mmap success=yes exit=139757389082624 a0=0x0 a1=0x81000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.295:408) : avc:  denied  { read } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.297:409) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:30:06.297:409) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x80082407 a2=0x7ffca9094c18 a3=0x1 items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.297:409) : avc:  denied  { write } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----
Comment 2 Ondrej Mosnacek 2020-11-27 09:44:51 UTC 
(In reply to Milos Malik from comment #1)
> 2) # semodule -c -E base
> 3) edit the base.cil file, add definition of the perf_event class and its
> permissions
> 4) # semodule -i base.cil

Actually, you can replace these steps with just:

2) (echo '(class perf_event (open cpu kernel tracepoint read write))'; echo '(classorder (unordered perf_event))') >perf_event.cil
3) semodule -i perf_event.cil
Comment 3 Milos Malik 2020-11-27 12:08:45 UTC 
If the root user is confined (sysadm_*) then SELinux denials look this way:
----
type=AVC msg=audit(11/27/2020 11:58:58.297:982) : avc:  denied  { open } for  pid=10805 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=perf_event permissive=0 
----
Comment 5 Zdenek Pytela 2020-12-01 21:48:06 UTC 
I've submitted 3 Fedora PRs to add the perf_event support to policy:

https://github.com/fedora-selinux/selinux-policy/pull/489
https://github.com/fedora-selinux/selinux-policy/pull/491
https://github.com/fedora-selinux/selinux-policy/pull/491
Comment 6 Zdenek Pytela 2020-12-02 19:02:43 UTC 
The unified https://github.com/fedora-selinux/selinux-policy/pull/489 PR was tested with a zpytela/selinux-policy copr build on F34 and the following tests pass without a related AVC:

selinux/selinux-policy/perf_event-and-related
pcp/PMDAs/perfevent
pcp/Install/sos-report