67 lines
4.9 KiB
Diff
67 lines
4.9 KiB
Diff
From 04ac47e570c47cb1f953cf9d5f8cac2a656238e6 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
|
Date: Fri, 13 May 2022 13:47:50 +0200
|
|
Subject: [PATCH] selinux: allow bcc PMDA to execute its private memfd: objects
|
|
created by ctypes/libffi (#1593)
|
|
|
|
Resolves the following AVC:
|
|
|
|
type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
|
|
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050094
|
|
---
|
|
qa/1622 | 1 +
|
|
qa/917.out.in | 1 +
|
|
src/selinux/pcpupstream.te.in | 7 +++++++
|
|
3 files changed, 9 insertions(+)
|
|
|
|
diff --git a/qa/1622 b/qa/1622
|
|
index be7987e225..03ecc4eb42 100755
|
|
--- a/qa/1622
|
|
+++ b/qa/1622
|
|
@@ -78,6 +78,7 @@ type=AVC msg=audit(YYY.24): avc: denied { execute } for pid=8656 comm="sh" na
|
|
type=AVC msg=audit(YYY.25): avc: denied { read } for pid=8656 comm="sh" name="hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
|
type=AVC msg=audit(YYY.26): avc: denied { open } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
|
type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
|
+type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
|
|
type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
|
|
# matching allow rule removed from pcpupstream.te.in by commit 276eb0fe 2019-02-22
|
|
#type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
|
|
diff --git a/qa/917.out.in b/qa/917.out.in
|
|
index 3bd1dc15e0..8b92c0c5ff 100644
|
|
--- a/qa/917.out.in
|
|
+++ b/qa/917.out.in
|
|
@@ -40,6 +40,7 @@ Checking policies.
|
|
allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
|
|
! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
|
|
allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
|
|
+ allow [pcp_pmcd_t] [pcp_tmpfs_t] : [file] { execute execute_no_trans getattr ioctl lock map open read };
|
|
! allow [pcp_pmcd_t] [tracefs_t] : [filesystem] { mount };
|
|
! allow [pcp_pmcd_t] [tracefs_t] : [file] { append getattr open read write };
|
|
! allow [pcp_pmcd_t] [tracefs_t] : [dir] { open read search };
|
|
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
|
|
index 673b178413..2c15c61ba3 100644
|
|
--- a/src/selinux/pcpupstream.te.in
|
|
+++ b/src/selinux/pcpupstream.te.in
|
|
@@ -39,6 +39,7 @@ require {
|
|
type pcp_pmlogger_t;
|
|
type pcp_pmproxy_t;
|
|
type pcp_tmp_t;
|
|
+ type pcp_tmpfs_t;
|
|
type pcp_var_lib_t;
|
|
type ping_exec_t; # pmda.netcheck
|
|
type postgresql_var_run_t;
|
|
@@ -199,6 +200,12 @@ allow pcp_pmcd_t pcp_tmp_t:file { execute execute_no_trans @PCP_TMP_MAP@ };
|
|
#type=AVC msg=audit(YYY.27): avc: denied { execute_no_trans } for pid=8657 comm="sh" path="/usr/bin/hostname" dev="dm-1" ino=1051243 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
|
|
allow pcp_pmcd_t hostname_exec_t:file { getattr execute read open execute_no_trans };
|
|
|
|
+# https://bugzilla.redhat.com/show_bug.cgi?id=2050094
|
|
+#type=AVC msg=audit(YYY.787): avc: denied { execute } for pid=216047 comm="python3" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=919210 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_tmpfs_t:s0 tclass=file permissive=0
|
|
+# libffi (used by Python/ctypes) wants to execute from memfd:libffi (a memory mapped file)
|
|
+# similar to selinux-policy PR: https://github.com/fedora-selinux/selinux-policy/pull/1019
|
|
+can_exec(pcp_pmcd_t, pcp_tmpfs_t)
|
|
+
|
|
# pmda.perfevent
|
|
#type=AVC msg=audit(YYY.28): avc: denied { mount } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=filesystem permissive=0
|
|
#type=AVC msg=audit(YYY.29): avc: denied { search } for pid=22090 comm="pmdaperfevent" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
|