Bug 1901957 - Add perf_event class to selinux-policy
Summary: Add perf_event class to selinux-policy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1901958
TreeView+ depends on / blocked
 
Reported: 2020-11-26 13:32 UTC by Zdenek Pytela
Modified: 2021-01-12 18:34 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1901958 (view as bug list)
Environment:
Last Closed: 2020-12-15 20:32:27 UTC
Type: Bug


Attachments (Terms of Use)

Description Zdenek Pytela 2020-11-26 13:32:23 UTC
Add perf_event class to selinux-policy and update policy rules for domains requiring this access.

Comment 1 Milos Malik 2020-11-27 09:36:45 UTC
Steps to Reproduce:
1) get a Fedora rawhide machine (targeted policy is active)
2) # semodule -c -E base
3) edit the base.cil file, add definition of the perf_event class and its permissions
4) # semodule -i base.cil
5) # perf record -o /dev/null echo test

Following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(11/27/2020 04:28:57.355:404) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:28:57.355:404) : arch=x86_64 syscall=perf_event_open success=no exit=EACCES(Permission denied) a0=0x55ad1b744f40 a1=0x5bd a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1468 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:28:57.355:404) : avc:  denied  { open } for  pid=1468 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0 
----

Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.293:406) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:30:06.293:406) : arch=x86_64 syscall=perf_event_open success=yes exit=5 a0=0x7ffca9094c10 a1=0xffffffff a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.293:406) : avc:  denied  { cpu } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
type=AVC msg=audit(11/27/2020 04:30:06.293:406) : avc:  denied  { open } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.295:407) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:30:06.295:407) : arch=x86_64 syscall=perf_event_open success=no exit=ENOENT(No such file or directory) a0=0x55647ebc8f40 a1=0x5c1 a2=0x0 a3=0xffffffff items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.295:407) : avc:  denied  { kernel } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.295:408) : proctitle=perf record -o /dev/null echo test 
type=MMAP msg=audit(11/27/2020 04:30:06.295:408) : fd=5 flags=MAP_SHARED 
type=SYSCALL msg=audit(11/27/2020 04:30:06.295:408) : arch=x86_64 syscall=mmap success=yes exit=139757389082624 a0=0x0 a1=0x81000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.295:408) : avc:  denied  { read } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----
type=PROCTITLE msg=audit(11/27/2020 04:30:06.297:409) : proctitle=perf record -o /dev/null echo test 
type=SYSCALL msg=audit(11/27/2020 04:30:06.297:409) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x80082407 a2=0x7ffca9094c18 a3=0x1 items=0 ppid=1030 pid=1472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=4 comm=perf exe=/usr/bin/perf subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/27/2020 04:30:06.297:409) : avc:  denied  { write } for  pid=1472 comm=perf scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=1 
----

Comment 2 Ondrej Mosnacek 2020-11-27 09:44:51 UTC
(In reply to Milos Malik from comment #1)
> 2) # semodule -c -E base
> 3) edit the base.cil file, add definition of the perf_event class and its
> permissions
> 4) # semodule -i base.cil

Actually, you can replace these steps with just:

2) (echo '(class perf_event (open cpu kernel tracepoint read write))'; echo '(classorder (unordered perf_event))') >perf_event.cil
3) semodule -i perf_event.cil

Comment 3 Milos Malik 2020-11-27 12:08:45 UTC
If the root user is confined (sysadm_*) then SELinux denials look this way:
----
type=AVC msg=audit(11/27/2020 11:58:58.297:982) : avc:  denied  { open } for  pid=10805 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=perf_event permissive=0 
----

Comment 6 Zdenek Pytela 2020-12-02 19:02:43 UTC
The unified https://github.com/fedora-selinux/selinux-policy/pull/489 PR was tested with a zpytela/selinux-policy copr build on F34 and the following tests pass without a related AVC:

selinux/selinux-policy/perf_event-and-related
pcp/PMDAs/perfevent
pcp/Install/sos-report


Note You need to log in before you can comment on or make changes to this bug.