Bug 1901958

Summary: Add perf_event class to selinux-policy
Product: Red Hat Enterprise Linux 8 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 8.4CC: dwalsh, extras-qa, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.4   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: The perf_event class was added to selinux-policy. The permissions are allowed only to domains which need it, e. g. for the purposes of attaching BPF programs to tracepoints, perf profiling and other operations from userspace. These operations are intended for production systems. Reason: Softer grained control to the perf_event related system resources. Result: Now SELinux checks apply for domains instead of checking the system-wide kernel.perf_event_paranoid sysctl tunable.
 Story Points: ---
Clone Of: 1901957 Environment:
Last Closed: 2021-05-18 14:58:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1901957    
Bug Blocks:    

Description Zdenek Pytela 2020-11-26 13:33:53 UTC 
+++ This bug was initially created as a clone of Bug #1901957 +++

Add perf_event class to selinux-policy and update policy rules for domains requiring this access.
Comment 4 Zdenek Pytela 2020-12-09 18:05:22 UTC 
There is a Fedora PR to add the new class:
https://github.com/fedora-selinux/selinux-policy/pull/489
Comment 17 errata-xmlrpc 2021-05-18 14:58:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639