On Wed, Dec 21, 2016 at 10:10 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Sun, 2016-12-18 at 21:11 +0200, Gilboa Davara wrote:
>> Hello all,
>>
>> I've got a script that sets the network device IRQ CPU affinity.
>> (irqbalance without the balance...).
>> Due to changes to /proc/irq/XXX/* SELinux targeted policy (?) this
>> script no longer works.
>>
>> - avc message:: avc: denied { associate } for pid=234250
>> comm="dev_irq_fix" name="smp_affinity"
>> scontext=unconfined_u:object_r:sysctl_irq_t:s0
>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
>>
>> - audit2allow:
>> allow sysctl_irq_t proc_t:filesystem associate;
>
> filesystem associate permission is only check for:
> - mount with context= option,
> - file creation,
> - relabeling of a file.
>
> None of those make sense for /proc/irq/* files AFAIK.
>
> What is your script doing to trigger this denial?
> /proc files are kernel-generated pseudo files, so they aren't files
> that userspace would be creating or relabeling.
Hello,
Sorry for the late reply. Was AFK for a couple of days.
The script is used to attach certain network device IRQ to specific
CPUs using 'echo XXXX > /proc/irq/XXX/smp_affinity'.
- Gilboa
>
>> As I appreciate the need of solid SELinux policy I rather label my
>> script correctly, as opposed to opening the sysctl_irq_t gate to
>> world+dog.
>> As such, I'd like to create a file label that *extends* the generic
>> bin_t label - lets call it dev_manage_t - and will be used to give a
>> certain set of scripts the ability to modify /proc/irq/XXX/
>>
>> Now, I tried creating the following policy, and needless to say it
>> failed, miserably, when I tried to restorecon my script files
>> (EPERM).
>>
>>
>> 1. dev_manage.fc:
>> ------------------------------
>> /sbin/dev_irq_set
>> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
>> /sbin/dev_irq_fix
>> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
>>
>>
>> 2. dev_manage.te
>> ------------------------------
>> module dev_manage 1.0;
>>
>> type dev_manage_t;
>>
>> require {
>> type bin_t;
>> type sysctl_irq_t;
>>
>> class file { search read write getattr open };
>> class dir { search read write getattr open };
>> }
>>
>> allow dev_manage_t sysctl_irq_t:file { search read write getattr open
>> };
>> allow dev_manage_t sysctl_irq_t:dir { search read write getattr open
>> };
>>
>> Can anyone please point me to the right direction? I tried using
>> exiting .te files as reference (E.g. irabalance.te) but it didn't
>> help
>> much.
>>
>> - Gilboa
>> _______________________________________________
>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
