Attached is ksm module. If virtualization is installed then ksm and ksmtuned services are enabled by default. Currently they run in initrc_t. It seems the initrc_t domain has sufficient permissions for ksm tune daemon. The policy is not thoroughly tested yet and so i left ksmtuned_t permissive.
/etc/rc\.d/init\.d/ksm -- gen_context(system_u:object_r:ksm_initrc_exec_t, s0) /etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t, s0) /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t, s0) /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t, s0)
## <summary>Kernel Sharedpage Merging</summary> ## <desc> ## <p> ## Kernel Sharedpage Merging allows KVM guest virtual ## machines to share identical memory pages. This is ## especially useful when running multiple guests from the ## same or similar base operating system image. Because ## memory is shared, the combined memory usage of the ## guests is reduced. ## </p> ## <p> ## Kernel Sharedpage Merging Tune Daemon dynamically ## adjusts KSM aggressiveness based on the amount of free ## memory available. ## </p> ## </desc>
policy_module(ksm, 1.0.0) ######################################## # # KSM personal declarations. # type ksm_initrc_exec_t; init_script_file(ksm_initrc_exec_t) ######################################## # # KSMTuneD personal declarations. # type ksmtuned_t; type ksmtuned_exec_t; init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) type ksmtuned_initrc_exec_t; init_script_file(ksmtuned_initrc_exec_t) type ksmtuned_var_run_t; files_pid_file(ksmtuned_var_run_t) permissive ksmtuned_t; ######################################## # # KSM personal policy. # ######################################## # # KSMTuneD personal policy. # allow ksmtuned_t self:fifo_file rw_fifo_file_perms; manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) corecmd_exec_bin(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) files_read_etc_files(ksmtuned_t) kernel_read_system_state(ksmtuned_t) miscfiles_read_localization(ksmtuned_t)
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
