Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1591440
Summary: | bpftool returns EPERM on all actions | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | jakub.kicinski |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | airlied, bskeggs, dwalsh, ewk, hdegoede, ichavero, itamar, jarodwilson, jglisse, john.j5live, jonathan, josef, kernel-maint, labbott, linville, lvrabec, mchehab, mgrepl, mjg59, plautrba, pmoore, steved |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 02:57:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
jakub.kicinski
2018-06-14 17:56:45 UTC
So 'sudo bpftool prog' works for me on both F28 and rawhide. What kernel version are you running on? Are you running with secure boot on by any chance? Interesting, does it work for you when you're logged in as root? I have Secure boot on on my F28 machine, but not on the Rawhide one. The error is slightly different on the Rawhide: Error: can't get prog by id (13): Permission denied instead of: Error: can't get next program: Operation not permitted $ uname -r 4.16.14-300.fc28.x86_64 and $ uname -r 4.18.0-0.rc0.git7.2.fc29.x86_64 Oh, turns out on the Rawhide machine setenforce 0 fixes the issue, so it's Selinux related... Does secure boot make it impossible to disable Selinux? selinux and secureboot are not connected but it is expected that bpf is disabled when secureboot is enabled, so that explains F28. I forgot I have my rawhide machine in reporting only mode and I do see selinux failures there. So we could move this bug to selinux policy to fix it up there. Thank you! I didn't know secure boot disables BPF, is it a Fedora/RHEL specific patch or does it happen on upstream kernels too? I'm happy for the bug to be moved to selinux policy, FWIW: AVC avc: denied { prog_run } for pid=10409 comm="bpftool" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=1 The secureboot work is still going upstream but yes, it's intended to be locked down upstream too. I'll move this over to selinux-policy. This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |