Bug 2161705

Summary: RFE: dontaudit execmem for ftpd_t
Product: [Fedora] Fedora Reporter: Paul Howarth <paul>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2164434 (view as bug list) Environment:
Last Closed: 2023-01-31 09:35:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Howarth 2023-01-17 16:57:11 UTC 
Hello,

I am the package maintainer of the proftpd FTP server in Fedora/EPEL. I have recently been asked to add support for PCRE2-based regular expressions to proftpd (Bug #2158885), and doing this results in this AVC:

type=AVC msg=audit(1673174151.123:562134): avc:  denied  { execmem } for  pid=2352865 comm="proftpd" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=process permissive=0

I believe that this is due to memory allocation in the PCRE2 JIT compiler, and has resulted in similar issues before (e.g. Bug #1290432, Bug #2122918).

My understanding is that the PCRE2 regexp functionality in proftpd falls back to the slower regexp interpreter if the JIT compiler cannot be used, which I think is the best approach here, hence the request to dontaudit this denial rather than allowing execmem.

Ideally I'd like to update proftpd in F-37, Rawhide and EPEL-9 to support PCRE2, and it would be nice not to have these AVCs showing up.

I appreciate that a policy update in RHEL9 would be needed to address this for the EPEL-9 package. Would I need to create a separate ticket for that?
Comment 1 Zdenek Pytela 2023-01-17 18:41:10 UTC 
Hello Paul,

This seems to be a reasonable request for Fedora. Note there is an ongoing internal discussion how to approach this issue in general, currently with no conclusion.

For RHEL 9, a cloned bz is needed, but a prompt resolution cannot be expected.
Comment 2 Paul Howarth 2023-01-25 14:41:55 UTC 
Cloned bug for EL-9: Bug #2164434
Comment 3 Paul Howarth 2023-01-31 11:44:46 UTC 
Will this included in F-37 too?