Bug 2033504

Summary: AVC check fail for running perf
Product: Red Hat Enterprise Linux 9 Reporter: qding
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, nknazeko, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 9.0Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.25-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:50:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description qding 2021-12-17 03:16:40 UTC 
Description of problem: AVC check fail for running perf

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-34.1.19-1.el9.noarch
----
time->Thu Dec 16 21:50:06 2021
type=PROCTITLE msg=audit(1639709406.688:556): proctitle=70657266007265636F7264002D650070726F62653A2A002D6F00706572662E64617461002D6152002D2D00696E6F7469667977616974002D650064656C657465002F746D702F706572665F66696C65
type=SYSCALL msg=audit(1639709406.688:556): arch=c000003e syscall=321 success=no exit=-13 a0=d a1=7ffd7aa60250 a2=80 a3=70 items=0 ppid=1920 pid=16771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="perf" exe="/usr/bin/perf" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1639709406.688:556): avc:  denied  { prog_run } for  pid=16771 comm="perf" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=bpf permissive=0


beaker job: https://beaker.engineering.redhat.com/jobs/6104107
Comment 1 Milos Malik 2022-01-07 09:32:50 UTC 
Please re-run the automated tests in permissive mode (setenforce 0) and collect SELinux denials which will appear.

Thank you.
Comment 3 Milos Malik 2022-01-13 08:47:58 UTC 
The permissive mode did not reveal additional SELinux denials:
----
type=PROCTITLE msg=audit(01/10/2022 04:06:11.137:944) : proctitle=perf record -e probe:* -o perf.data -aR -- inotifywait -e delete /tmp/perf_file 
type=SYSCALL msg=audit(01/10/2022 04:06:11.137:944) : arch=x86_64 syscall=bpf success=yes exit=792 a0=BPF_PROG_GET_FD_BY_ID a1=0x7ffdfc7c7150 a2=0x80 a3=0x7a items=0 ppid=2149 pid=22816 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/10/2022 04:06:11.137:944) : avc:  denied  { prog_run } for  pid=22816 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=bpf permissive=1 
----

The attached audit.log files also contain the already known SELinux denials generated by the sss_cache program.
Comment 4 Zdenek Pytela 2022-01-14 08:25:15 UTC 
Can you explain what is the purpose and effect of this command which appears to be in the test?

perf record -e probe:* -o perf.data -aR -- inotifywait -e delete /tmp/perf_file
Comment 5 qding 2022-01-14 09:18:48 UTC 
I use the tool [1] to do a performance test in which perf is used. To use perf tool it usually run "perf probe" to set some kernel functions probing, in my case it will run [2] first and then run perf record to save the calling of those kernel functions. It's hard to explain it clear in simple words. For details please see [3].

perf record -e probe:* -o perf.data -aR -- inotifywait -e delete /tmp/perf_file
-e probe: * means probe all the set functions
-o: the output file
-aR: options for perf record
inotifywait -e delete /tmp/perf_file: perf record will not be terminated until receiving inotify delete event for deleting file /tmp/perf_file.

[1] https://github.com/marceloleitner/perf-flower
[2] https://github.com/marceloleitner/perf-flower/blob/master/rate-monitor/perf-probes.sh
[3] https://man7.org/linux/man-pages/man1/perf.1.html
Comment 7 Zdenek Pytela 2022-02-09 08:50:26 UTC 
To backport:
commit 9a0c6ca3209e1562ccd337b50592be6b4a86157d (HEAD -> rawhide, upstream/rawhide)
Author: Nikola Knazekova <nknazeko>
Date:   Tue Feb 8 13:43:30 2022 +0100

    Allow unconfined to run virtd bpf
Comment 15 errata-xmlrpc 2022-05-17 15:50:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918