Description of problem: With the perf_event class introduced into the policy with bz#1901957 resolving, openvswitch starts to require the perf_event open SELinux permission. Version-Release number of selected component (if applicable): selinux-policy-3.14.7-12 How reproducible: always Steps to Reproduce: 1. start the openvswitch service 2. ausearch -i -m avc Actual results: ---- type=PROCTITLE msg=audit(12/17/2020 11:46:49.641:483) : proctitle=ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --priv type=SYSCALL msg=audit(12/17/2020 11:46:49.641:483) : arch=x86_64 syscall=perf_event_open success=no exit=EACCES(Permission denied) a0=0x7ffc324f57d0 a1=0x0 a2=0xffffffff a3=0xffffffff items=0 ppid=3434 pid=3435 auid=unset uid=openvswitch gid=hugetlbfs euid=openvswitch suid=openvswitch fsuid=openvswitch egid=hugetlbfs sgid=hugetlbfs fsgid=hugetlbfs tty=(none) ses=unset comm=ovsdb-server exe=/usr/sbin/ovsdb-server subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(12/17/2020 11:46:49.641:483) : avc: denied { open } for pid=3435 comm=ovsdb-server scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=perf_event permissive=0 Expected results: <> Additional info:
I've submitted a Fedora draft PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/522 Additional testing with selinux-policy/Regression/openvswitch-general haven't showed any related additional permissions request. We may need some functional testing in place.
PR merged: commit afe14e579f204486bb716b024fd05696a3aea067 (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Thu Dec 17 18:06:09 2020 +0100 Allow openvswitch_t perf_event open permission Resolves: rhbz#1908817
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.