Created attachment 1792885 [details] simple reproducer I have a process that calls userfaultfd() and then passes that fd to another process over a UNIX socket with SCM_RIGHTS. This worked in Fedora 33 but in Fedora 34 it is blocked by the SELinux policy. I've attached a minimal reproducer. Works with SELinux disabled, fails with SELinux enabled, with: type=AVC msg=audit(1624334426.556:18021): avc: denied { write } for pid=1271515 comm="test" path="anon_inode:[userfaultfd]" dev="anon_inodefs" ino=7593260 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=1
Basically the problem seems to be that the fd is created read/write by the userfaulfd() syscall; then, when we transfer that fd, selinux_file_receive checks that all fd's mode bits are allowed, so it checks for read and write; but Fedora selinux-policy does not allow write for userfaultfd: https://github.com/fedora-selinux/selinux-policy/commit/86327cca3c025dcd3f7b2a4fbe8c2d94c7780e88 I think probably 'write' should be allowed by that policy.
Thank you for the report and details, I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/789
Indeed, the userfaultfds are currently opened with O_RDWR. Yet, I think it should really be O_RDONLY, since the userfaultfd files don't implement the write op. I'll propose a patch to upstream kernel and we'll see what the maintainers think...
Kernel patch submitted: https://lore.kernel.org/linux-fsdevel/20210624152515.1844133-1-omosnace@redhat.com/T/
Thanks for proposing the kernel patch but I see that it was ignored.
As there is still no response in the kernel RFC patch, I've updated the previous PR and backported it: https://github.com/fedora-selinux/selinux-policy/pull/917 We will see in the future if it is a temporary workaround which can be reverted.
FEDORA-2021-00891047cf has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-00891047cf
FEDORA-2021-00891047cf has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-00891047cf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-00891047cf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-00891047cf has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.