Description of problem: We are enabling io_uring in RHEL 9.3 (see bug 2068237). By default, our selinux policy is preventing io_uring applications from working. Here is a snippet from the audit log: type=AVC msg=audit(1681827274.832:197): avc: denied { map } for pid=27074 comm="iopoll-leak.t" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=64058 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0 How do you recommend we address this? Version-Release number of selected component (if applicable): rhel-9.3.0 How reproducible: 100% Steps to Reproduce: 1. Run an application that makes use of io_uring. This could be fio, fio's t/io_uring, or the liburing test suite. Additional info: Note that io_uring will be disabled by default. You can find the current proposed code here: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2375#note_1356018369 I would be happy to test any patches or updated packages. Thanks!
Should be as easy as backporting 34264caf2 Add the map permission to common_anon_inode_perm permission set unless there were other interfering changes in Fedora in the meantime.