pcp/redhat-bugzilla-2050094-bcc-selinux.patch

67 lines
4.9 KiB
Diff
Raw Normal View History

From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001
From: Andreas Gerstmayr <agerstmayr@redhat.com>
Date: Fri, 13 May 2022 13:47:50 +0200
Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects
created by ctypes/libffi (#1593)
Resolves the following AVC:
type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094
---
qa/1622 | 1 +
qa/917.out.in | 1 +
src/selinux/pcpupstream.te.in | 7 +++++++
3 files changed, 9 insertions(+)
diff --git a/qa/1622 b/qa/1622
index be7987e225..03ecc4eb42 100755
--- a/qa/1622
+++ b/qa/1622
@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" na
type=AVC msg=audit(YYY.25): avc: denied { read } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(YYY.26): avc: denied { open } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
# matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22
#type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
diff --git a/qa/917.out.in b/qa/917.out.in
index 3bd1dc15e0..8b92c0c5ff 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -40,6 +40,7 @@ Checking policies.
allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
+ allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read };
! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 673b178413..2c15c61ba3 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -39,6 +39,7 @@ require {
type pcp_pmlogger_t;
type pcp_pmproxy_t;
type pcp_tmp_t;
+ type pcp_tmpfs_t;
type pcp_var_lib_t;
type ping_exec_t; # pmda.netcheck
type postgresql_var_run_t;
@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
#type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };
+# https://bugzilla.redhat.com/show_bug.cgi?id=2050094
+#type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
+# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file)
+# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019
+can_exec(pcp_pmcd_t, pcp_tmpfs_t)
+
# pmda.perfevent
#type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
#type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0