On Sun, 2016-12-18 at 21:11 +0200, Gilboa Davara wrote:
> Hello all,
>
> I've got a script that sets the network device IRQ CPU affinity.
> (irqbalance without the balance...).
> Due to changes to /proc/irq/XXX/* SELinux targeted policy (?) this
> script no longer works.
>
> - avc message:: avc: denied { associate } for pid=234250
> comm="dev_irq_fix" name="smp_affinity"
> scontext=unconfined_u:object_r:sysctl_irq_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
>
> - audit2allow:
> allow sysctl_irq_t proc_t:filesystem associate;
>
> As I appreciate the need of solid SELinux policy I rather label my
> script correctly, as opposed to opening the sysctl_irq_t gate to
> world+dog.
> As such, I'd like to create a file label that *extends* the generic
> bin_t label - lets call it dev_manage_t - and will be used to give a
> certain set of scripts the ability to modify /proc/irq/XXX/
>
> Now, I tried creating the following policy, and needless to say it
> failed, miserably, when I tried to restorecon my script files
> (EPERM).
>
>
> 1. dev_manage.fc:
> ------------------------------
> /sbin/dev_irq_set
> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
> /sbin/dev_irq_fix
> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
>
>
> 2. dev_manage.te
> ------------------------------
> module dev_manage 1.0;
>
> type dev_manage_t;
>
> require {
> type bin_t;
> type sysctl_irq_t;
>
> class file { search read write getattr open };
> class dir { search read write getattr open };
> }
>
> allow dev_manage_t sysctl_irq_t:file { search read write getattr open
> };
> allow dev_manage_t sysctl_irq_t:dir { search read write getattr open
> };
>
> Can anyone please point me to the right direction? I tried using
> exiting .te files as reference (E.g. irabalance.te) but it didn't
> help
> much.
You need to define a domain type (for the process) and a file type (for
the executable file). Using an existing .te file is often a good way
to go, or you could try using sepolicy generate. Is your script run as
a service or by an admin user? That affects what domain transitions
you need to set up for it.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
