On Sun, 2016-12-18 at 21:11 +0200, Gilboa Davara wrote:
> Hello all,
>
> I've got a script that sets the network device IRQ CPU affinity.
> (irqbalance without the balance...).
> Due to changes to /proc/irq/XXX/* SELinux targeted policy (?) this
> script no longer works.
>
> - avc message:: avc: denied { associate } for pid=234250
> comm="dev_irq_fix" name="smp_affinity"
> scontext=unconfined_u:object_r:sysctl_irq_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
>
> - audit2allow:
> allow sysctl_irq_t proc_t:filesystem associate;
filesystem associate permission is only check for:
- mount with context= option,
- file creation,
- relabeling of a file.
None of those make sense for /proc/irq/* files AFAIK.
What is your script doing to trigger this denial?
/proc files are kernel-generated pseudo files, so they aren't files
that userspace would be creating or relabeling.
> As I appreciate the need of solid SELinux policy I rather label my
> script correctly, as opposed to opening the sysctl_irq_t gate to
> world+dog.
> As such, I'd like to create a file label that *extends* the generic
> bin_t label - lets call it dev_manage_t - and will be used to give a
> certain set of scripts the ability to modify /proc/irq/XXX/
>
> Now, I tried creating the following policy, and needless to say it
> failed, miserably, when I tried to restorecon my script files
> (EPERM).
>
>
> 1. dev_manage.fc:
> ------------------------------
> /sbin/dev_irq_set
> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
> /sbin/dev_irq_fix
> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
>
>
> 2. dev_manage.te
> ------------------------------
> module dev_manage 1.0;
>
> type dev_manage_t;
>
> require {
> type bin_t;
> type sysctl_irq_t;
>
> class file { search read write getattr open };
> class dir { search read write getattr open };
> }
>
> allow dev_manage_t sysctl_irq_t:file { search read write getattr open
> };
> allow dev_manage_t sysctl_irq_t:dir { search read write getattr open
> };
>
> Can anyone please point me to the right direction? I tried using
> exiting .te files as reference (E.g. irabalance.te) but it didn't
> help
> much.
>
> - Gilboa
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
