sysprofd unable to access perf events

[chergert]

We use Sysprof all over the place in GNOME to do system profiling. I just updated to F34 today and it appears that sysprofd is now getting audit denials when trying to access perf.

Feb 23 16:52:45 fedora systemd[1]: Starting Sysprof Daemon...
Feb 23 16:52:45 fedora systemd[1]: Started Sysprof Daemon.
Feb 23 16:52:45 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysprof3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 23 16:52:45 fedora sysprofd[3681]: Acquired Bus Name: org.gnome.Sysprof3
Feb 23 16:52:45 fedora sysprofd[3681]: Acquired Bus Name: org.gnome.Sysprof2
Feb 23 16:52:45 fedora sysprofd[3681]: PerfEventOpen(pid=-1, cpu=0)
Feb 23 16:52:45 fedora audit[3681]: AVC avc:  denied  { confidentiality } for  pid=3681 comm="pool-sysprofd" lockdown_reason="unsafe use of perf" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0
Feb 23 16:52:45 fedora audit[3665]: AVC avc:  denied  { read } for  pid=3665 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0

[zpytela]

@WOnder93 I'd appreciate if you could take a look at the second denial: unconfined_t wants to read unconfined_service_t - is this expected?

[WOnder93]

The perf event is represented by a file descriptor, which can be passed between processes (e.g. via a UNIX socket or DBus). A perf event has a label, which is inherited from the creating process at the time of creation.

My guess is that the sysprofd service opens the event fd and sends it to "client" processes (in this case it was sysprof started from a user session) upon request, which then read records from it. I think we can safely add a rule allowing unconfined_t to read from events created by other processes (domain), which would cover this case.

[chergert]

You are correct in your description of how this works. Sysprof/Sysprof-cli use the daemon to get elevated access to perf_event FDs.

[chergert]

What should we tell users to do on F34 to get this working? I'd like to avoid telling them to disable selinux altogether.

[zpytela]

@chergert unless somebody writes a PR earlier, I should fix it in some 2 weeks time, just as a prerequisite a new interface needs to be created.

[zpytela]

@chergert, now there are 2 PRs to address the issue, I am sorry for the delay, should be included in the very next build.
#722
#723

The build in the second PR (build-rpm - details - artifacts) can be used for testing, especially to find out if some other permission is needed.

The lockdown permission is allowed since selinux-policy-34.4-1.

[chergert]

Thanks!

[YaLTeR]

F34 Silverblue, selinux-policy-34.7-1.fc34.noarch

Seems like sysprof is still unable to capture stack traces:

мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=0)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=1)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=2)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=3)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=4)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=5)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=6)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
мая 16 07:49:24 sysprofd[10621]: PerfEventOpen(pid=-1, cpu=7)
мая 16 07:49:24 audit[10580]: AVC avc:  denied  { read } for  pid=10580 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0

[zpytela]

@YaLTeR , can you install setools-console and run the following commands? I see the permissions allowed with selinux-policy-34.6-1 and newer.

# sesearch -A -s unconfined_t -t unconfined_service_t -c perf_event -p read
allow unconfined_t domain:perf_event { read write };
# seinfo -xt unconfined_service_t

Types: 1
   type unconfined_service_t, can_read_shadow_passwords, can_write_shadow_passwords, can_relabelto_shadow_passwords, can_change_object_identity, can_load_kernmodule, can_load_policy, can_setbool, can_setenforce, can_setsecparam, corenet_unconfined_type, corenet_unlabeled_type, devices_unconfined_type, domain, files_unconfined_type, filesystem_unconfined_type, kern_unconfined, named_filetrans_domain, process_uncond_exempt, selinux_unconfined_type, storage_unconfined_type, unconfined_domain_type, dbusd_unconfined, sepgsql_unconfined_type, can_relabelto_binary_policy, userdom_filetrans_type, x_domain, xserver_unconfined_type;

Can you also confirm the latest selinux-policy package version was installed before these audit records were audited?

[YaLTeR]

┌ ~
└─ sesearch -A -s unconfined_t -t unconfined_service_t -c perf_event -p read
┌ ~
└─ seinfo -xt unconfined_service_t

Types: 1
   type unconfined_service_t, can_read_shadow_passwords, can_write_shadow_passwords, can_relabelto_shadow_passwords, can_change_object_identity, can_load_kernmodule, can_load_policy, can_setbool, can_setenforce, can_setsecparam, corenet_unconfined_type, corenet_unlabeled_type, devices_unconfined_type, domain, files_unconfined_type, filesystem_unconfined_type, kern_unconfined, named_filetrans_domain, process_uncond_exempt, selinux_unconfined_type, storage_unconfined_type, unconfined_domain_type, dbusd_unconfined, sepgsql_unconfined_type, can_relabelto_binary_policy, userdom_filetrans_type, x_domain, xserver_unconfined_type;
┌ ~
└─ rpm -q selinux-policy
selinux-policy-34.7-1.fc34.noarch

Can you also confirm the latest selinux-policy package version was installed before these audit records were audited?

Yes.

[zpytela]

Is it possible the selinux-policy update failed, so it is still the old policy in place?

rpm -qa "selinux-policy*"
sestatus
ls -l /var/lib/selinux/tmp/

[YaLTeR]

Is it possible the selinux-policy update failed

Is that really possible on Silverblue? :)

┌ ~
└─ rpm -qa "selinux-policy*"
selinux-policy-34.7-1.fc34.noarch
selinux-policy-targeted-34.7-1.fc34.noarch
┌ ~
└─ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
┌ ~
└─ ls -l /var/lib/selinux/tmp/
┌ ~
└─ 

[YaLTeR]

Still the same issue on selinux-policy-34.11-1.fc34.noarch.

[zpytela]

Still the same issue on selinux-policy-34.11-1.fc34.noarch.

@YaLTeR Can you paste the avc denials and any additional information leading to triggering your issue?

[YaLTeR]

I simply open Sysprof and start the capture. Then these messages appear in the journal, and upon stopping, the capture does not contain any stack traces.

июн 15 19:32:09 polkitd[958]: Operator of unix-session:2 successfully authenticated as unix-user:yalter to gain TEMPORARY authorization for action org.gnome.sysprof3.profile for system-bus-name::1.324 [sysprof] (owned by unix-user:yalter)
июн 15 19:32:09 sysprofd[98050]: Acquired Bus Name: org.gnome.Sysprof3
июн 15 19:32:09 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysprof3 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
июн 15 19:32:09 sysprofd[98050]: Acquired Bus Name: org.gnome.Sysprof2
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=0)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=1)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=2)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=3)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=4)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=5)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=6)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0
июн 15 19:32:09 sysprofd[98050]: PerfEventOpen(pid=-1, cpu=7)
июн 15 19:32:09 audit[96842]: AVC avc:  denied  { read } for  pid=96842 comm="sysprof" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=perf_event permissive=0

[YaLTeR]

I did a clean F34 Silverblue install and here it works. Seems like something is broken in selinux policy updating then.

[WOnder93]

Hm... coreos/fedora-coreos-tracker#701 strikes again?

[YaLTeR]

I did have one selinux override on my system.