From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001
From: Andreas Gerstmayr <agerstmayr@redhat.com>
Date: Fri, 13 May 2022 13:47:50 +0200
Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects
 created by ctypes/libffi (#1593)

Resolves the following AVC:

    type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094
---
 qa/1622                       | 1 +
 qa/917.out.in                 | 1 +
 src/selinux/pcpupstream.te.in | 7 +++++++
 3 files changed, 9 insertions(+)

diff --git a/qa/1622 b/qa/1622
index be7987e225..03ecc4eb42 100755
--- a/qa/1622
+++ b/qa/1622
@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc:  denied  { execute } for  pid=8656 comm="sh" na
 type=AVC msg=audit(YYY.25): avc:  denied  { read } for  pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
 type=AVC msg=audit(YYY.26): avc:  denied  { open } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
 type=AVC msg=audit(YYY.27): avc:  denied  { execute_no_trans } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
+type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
 type=AVC msg=audit(YYY.28): avc:  denied  { mount } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
 # matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22
 #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
diff --git a/qa/917.out.in b/qa/917.out.in
index 3bd1dc15e0..8b92c0c5ff 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -40,6 +40,7 @@ Checking policies.
   allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
 ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
   allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
+  allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read };
 ! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
 ! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
 ! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 673b178413..2c15c61ba3 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -39,6 +39,7 @@ require {
 	type pcp_pmlogger_t;
 	type pcp_pmproxy_t;
 	type pcp_tmp_t;
+	type pcp_tmpfs_t;
 	type pcp_var_lib_t;
 	type ping_exec_t; # pmda.netcheck
 	type postgresql_var_run_t;
@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
 #type=AVC msg=audit(YYY.27): avc:  denied  { execute_no_trans } for  pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
 allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2050094
+#type=AVC msg=audit(YYY.787): avc:  denied  { execute } for  pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
+# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file)
+# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019
+can_exec(pcp_pmcd_t, pcp_tmpfs_t)
+
 # pmda.perfevent
 #type=AVC msg=audit(YYY.28): avc:  denied  { mount } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
 #type=AVC msg=audit(YYY.29): avc:  denied  { search } for  pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0