Bug 2187745

Summary: io_uring requires mmap() of anonymous inodes
Product: Red Hat Enterprise Linux 9 Reporter: Jeff Moyer <jmoyer>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: VERIFIED --- QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 9.3CC: lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-18 15:09:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Moyer 2023-04-18 15:15:32 UTC 
Description of problem:
We are enabling io_uring in RHEL 9.3 (see bug 2068237).  By default, our selinux policy is preventing io_uring applications from working.  Here is a snippet from the audit log:

type=AVC msg=audit(1681827274.832:197): avc:  denied  { map } for  pid=27074 comm="iopoll-leak.t" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=64058 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0

How do you recommend we address this?

Version-Release number of selected component (if applicable):
rhel-9.3.0

How reproducible:
100%

Steps to Reproduce:
1. Run an application that makes use of io_uring.  This could be fio, fio's t/io_uring, or the liburing test suite.

Additional info:

Note that io_uring will be disabled by default.  You can find the current proposed code here:
  https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2375#note_1356018369

I would be happy to test any patches or updated packages.

Thanks!
Comment 1 Zdenek Pytela 2023-04-18 15:26:40 UTC 
Should be as easy as backporting
34264caf2 Add the map permission to common_anon_inode_perm permission set

unless there were other interfering changes in Fedora in the meantime.