Bug 1908817

Summary: openvswitch requires perf_event open SELinux permission
Product: [Fedora] Fedora Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 34CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1916046 (view as bug list) Environment:
Last Closed: 2021-09-21 18:27:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1916046    

Description Zdenek Pytela 2020-12-17 17:03:55 UTC 
Description of problem:
With the perf_event class introduced into the policy with bz#1901957 resolving, openvswitch starts to require the perf_event open SELinux permission.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.7-12

How reproducible:
always

Steps to Reproduce:
1. start the openvswitch service
2. ausearch -i -m avc

Actual results:

----
type=PROCTITLE msg=audit(12/17/2020 11:46:49.641:483) : proctitle=ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --priv
type=SYSCALL msg=audit(12/17/2020 11:46:49.641:483) : arch=x86_64 syscall=perf_event_open success=no exit=EACCES(Permission denied) a0=0x7ffc324f57d0 a1=0x0 a2=0xffffffff a3=0xffffffff items=0 ppid=3434 pid=3435 auid=unset uid=openvswitch gid=hugetlbfs euid=openvswitch suid=openvswitch fsuid=openvswitch egid=hugetlbfs sgid=hugetlbfs fsgid=hugetlbfs tty=(none) ses=unset comm=ovsdb-server exe=/usr/sbin/ovsdb-server subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(12/17/2020 11:46:49.641:483) : avc:  denied  { open } for  pid=3435 comm=ovsdb-server scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=perf_event permissive=0

Expected results:
<>

Additional info:
Comment 1 Zdenek Pytela 2020-12-17 17:13:10 UTC 
I've submitted a Fedora draft PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/522

Additional testing with selinux-policy/Regression/openvswitch-general haven't showed any related additional permissions request.

We may need some functional testing in place.
Comment 4 Zdenek Pytela 2021-01-11 10:54:07 UTC 
PR merged:
commit afe14e579f204486bb716b024fd05696a3aea067 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Thu Dec 17 18:06:09 2020 +0100

    Allow openvswitch_t perf_event open permission

    Resolves: rhbz#1908817
Comment 5 Ben Cotton 2021-02-09 16:24:31 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.