Skip to content

src/selinux/pcp.te: Handle pmlogger perfmon AVCs #2231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 13, 2025
Merged

src/selinux/pcp.te: Handle pmlogger perfmon AVCs #2231

merged 1 commit into from
Jul 13, 2025

Conversation

wcohen
Copy link
Contributor

@wcohen wcohen commented Jul 3, 2025

On Fedora running Linux 6.15 kernels started seeing AVCs reported by RHBZ2371004:

type=AVC msg=audit(N): avc: denied { perfmon } for pid=PID comm="ps" capability=38 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability2 permissive=0

Added a pcp.te entry to address these AVCs.

@wcohen wcohen requested review from natoscott and kmcdonell July 9, 2025 13:29
kmcdonell
kmcdonell reviewed Jul 10, 2025
View reviewed changes
Copy link
Member

@kmcdonell kmcdonell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wcohen I'm no selinux expert, and the change per se LGTM. So these comments are more at a superficial level. And I know the suggestions below have not been followed consistently in pcp.te, but consistency will probably help in the long run.

  1. I think it makes more sense for all the "optional_policy" clauses for a particular stanza like pcp_pmlogger local policy to come after the non-optional policy clauses, rather than at the beginning in your commit.
  2. I've always thought it helped to read the *.te files if there is a comment showing the essential parts of the relevant AVC ahead of an "allow" clause ... when the issue (or something like it) comes up again, it helps to have the original AVC to compare with any new AVC, and this detail is lost by time audit2allow(1) has munched on the AVC.

@wcohen wcohen force-pushed the wcohen/rhbz2371004 branch from b4d5097 to 9ebf52e Compare July 11, 2025 15:37
@wcohen
src/selinux/pcp.te: Handle pmlogger perfmon AVCs
1410328 
On Fedora running Linux 6.15 kernels started seeing AVCs reported by RHBZ2371004:

type=AVC msg=audit(N): avc:  denied  { perfmon } for  pid=PID comm="ps" capability=38  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability2 permissive=0

Added a pcp.te entry to address these AVCs.
@wcohen wcohen force-pushed the wcohen/rhbz2371004 branch from 9ebf52e to 1410328 Compare July 11, 2025 15:41
@wcohen
Copy link
Contributor Author

wcohen commented Jul 11, 2025

I have reworked the patch to address the two points mentioned in the earlier review. There was a mention of the AVC message in the git commit comment, but having that in the pcp.te will make it more obvious to people. Grouping the change with the other option policy will makes things less scattered.

natoscott
natoscott reviewed Jul 13, 2025
View reviewed changes
Copy link
Member

@natoscott natoscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kmcdonell kmcdonell merged commit 7907da5 into performancecopilot:main Jul 13, 2025
21 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@natoscott natoscott natoscott left review comments

@kmcdonell kmcdonell kmcdonell left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wcohen @natoscott @kmcdonell