Bug 2070982
| Summary: | SELinux is preventing perf from using the 'bpf' capability | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Zdenek Pytela <zpytela> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 9.0 | CC: | lvrabec, mmalik, nknazeko, ssekidde | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 9.1 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-34.1.30-2.el9 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2070983 (view as bug list) | Environment: | ||
| Last Closed: | 2022-11-15 11:13:17 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2070983 | |||
This should be the required commit:
commit 0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b
Author: Zdenek Pytela <zpytela>
Date: Wed Jan 12 17:39:33 2022 +0100
Allow administrative users the bpf capability
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 |
Description of problem: SELinux is preventing perf from using the 'bpf' capability Version-Release number of selected component (if applicable): selinux-policy-34.1.27-1.el9.noarch How reproducible: always in the /CoreOS/selinux-policy/Regression/perf_event-and-related test Steps to Reproduce: Actual results: AVC denial is audited: ---- type=PROCTITLE msg=audit(04/01/2022 05:07:54.437:7828) : proctitle=perf record -o /dev/null echo test type=SYSCALL msg=audit(04/01/2022 05:07:54.437:7828) : arch=x86_64 syscall=bpf success=yes exit=0 a0=BPF_PROG_GET_NEXT_ID a1=0x7ffcf24e4f80 a2=0x80 a3=0x0 items=0 ppid=377113 pid=377114 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=136 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(04/01/2022 05:07:54.437:7828) : avc: denied { bpf } for pid=377114 comm=perf capability=bpf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 ---- Expected results: no denial Additional info: