Bug 2187745 - io_uring requires mmap() of anonymous inodes
Summary: io_uring requires mmap() of anonymous inodes
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.3
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Nikola Knazekova
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-18 15:15 UTC by Jeff Moyer
Modified: 2023-07-12 11:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-18 15:09:51 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2025714 0 medium CLOSED SELinux is preventing qemu-system-x86 from 'map' accesses on the anon_inode anon_inode. 2023-05-19 15:58:31 UTC
Red Hat Issue Tracker RHELPLAN-155060 0 None None None 2023-04-18 15:17:18 UTC

Description Jeff Moyer 2023-04-18 15:15:32 UTC
Description of problem:
We are enabling io_uring in RHEL 9.3 (see bug 2068237).  By default, our selinux policy is preventing io_uring applications from working.  Here is a snippet from the audit log:

type=AVC msg=audit(1681827274.832:197): avc:  denied  { map } for  pid=27074 comm="iopoll-leak.t" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=64058 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0

How do you recommend we address this?

Version-Release number of selected component (if applicable):
rhel-9.3.0

How reproducible:
100%

Steps to Reproduce:
1. Run an application that makes use of io_uring.  This could be fio, fio's t/io_uring, or the liburing test suite.

Additional info:

Note that io_uring will be disabled by default.  You can find the current proposed code here:
  https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2375#note_1356018369

I would be happy to test any patches or updated packages.

Thanks!

Comment 1 Zdenek Pytela 2023-04-18 15:26:40 UTC
Should be as easy as backporting
34264caf2 Add the map permission to common_anon_inode_perm permission set

unless there were other interfering changes in Fedora in the meantime.


Note You need to log in before you can comment on or make changes to this bug.