Hello, I am the package maintainer of the proftpd FTP server in Fedora/EPEL. I have recently been asked to add support for PCRE2-based regular expressions to proftpd (Bug #2158885), and doing this results in this AVC: type=AVC msg=audit(1673174151.123:562134): avc: denied { execmem } for pid=2352865 comm="proftpd" scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=process permissive=0 I believe that this is due to memory allocation in the PCRE2 JIT compiler, and has resulted in similar issues before (e.g. Bug #1290432, Bug #2122918). My understanding is that the PCRE2 regexp functionality in proftpd falls back to the slower regexp interpreter if the JIT compiler cannot be used, which I think is the best approach here, hence the request to dontaudit this denial rather than allowing execmem. Ideally I'd like to update proftpd in F-37, Rawhide and EPEL-9 to support PCRE2, and it would be nice not to have these AVCs showing up. I appreciate that a policy update in RHEL9 would be needed to address this for the EPEL-9 package. Would I need to create a separate ticket for that?
Hello Paul, This seems to be a reasonable request for Fedora. Note there is an ongoing internal discussion how to approach this issue in general, currently with no conclusion. For RHEL 9, a cloned bz is needed, but a prompt resolution cannot be expected.
Cloned bug for EL-9: Bug #2164434
Will this included in F-37 too?