Re: Semi-OT / Newbe: Help writing a policy file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2016-12-18 at 21:11 +0200, Gilboa Davara wrote:
> Hello all,
> 
> I've got a script that sets the network device IRQ CPU affinity.
> (irqbalance without the balance...).
> Due to changes to /proc/irq/XXX/* SELinux targeted policy (?) this
> script no longer works.
> 
> - avc message:: avc:  denied  { associate } for  pid=234250
> comm="dev_irq_fix" name="smp_affinity"
> scontext=unconfined_u:object_r:sysctl_irq_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
> 
> - audit2allow:
> allow sysctl_irq_t proc_t:filesystem associate;
> 
> As I appreciate the need of solid SELinux policy I rather label my
> script correctly, as opposed to opening the sysctl_irq_t gate to
> world+dog.
> As such, I'd like to create a file label that *extends* the generic
> bin_t label - lets call it dev_manage_t - and will be used to give a
> certain set of scripts the ability to modify /proc/irq/XXX/
> 
> Now, I tried creating the following policy, and needless to say it
> failed, miserably, when I tried to restorecon my script files
> (EPERM).
> 
> 
> 1. dev_manage.fc:
> ------------------------------
> /sbin/dev_irq_set    
> --    gen_context(unconfined_u:object_r:dev_manage_t,s0)
> /sbin/dev_irq_fix    
> --    gen_context(unconfined_u:object_r:dev_manage_t,s0)
> 
> 
> 2. dev_manage.te
> ------------------------------
> module dev_manage 1.0;
> 
> type dev_manage_t;
> 
> require {
>     type bin_t;
>     type sysctl_irq_t;
> 
>     class file { search read write getattr open };
>     class dir { search read write getattr open };
> }
> 
> allow dev_manage_t sysctl_irq_t:file { search read write getattr open
> };
> allow dev_manage_t sysctl_irq_t:dir { search read write getattr open
> };
> 
> Can anyone please point me to the right direction? I tried using
> exiting .te files as reference (E.g. irabalance.te) but it didn't
> help
> much.

You need to define a domain type (for the process) and a file type (for
the executable file).  Using an existing .te file is often a good way
to go, or you could try using sepolicy generate.  Is your script run as
a service or by an admin user?  That affects what domain transitions
you need to set up for it.
 
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux