On Wed, Dec 21, 2016 at 10:35 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Sun, 2016-12-18 at 21:11 +0200, Gilboa Davara wrote:
>> Hello all,
>>
>> I've got a script that sets the network device IRQ CPU affinity.
>> (irqbalance without the balance...).
>> Due to changes to /proc/irq/XXX/* SELinux targeted policy (?) this
>> script no longer works.
>>
>> - avc message:: avc: denied { associate } for pid=234250
>> comm="dev_irq_fix" name="smp_affinity"
>> scontext=unconfined_u:object_r:sysctl_irq_t:s0
>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
>>
>> - audit2allow:
>> allow sysctl_irq_t proc_t:filesystem associate;
>>
>> As I appreciate the need of solid SELinux policy I rather label my
>> script correctly, as opposed to opening the sysctl_irq_t gate to
>> world+dog.
>> As such, I'd like to create a file label that *extends* the generic
>> bin_t label - lets call it dev_manage_t - and will be used to give a
>> certain set of scripts the ability to modify /proc/irq/XXX/
>>
>> Now, I tried creating the following policy, and needless to say it
>> failed, miserably, when I tried to restorecon my script files
>> (EPERM).
>>
>>
>> 1. dev_manage.fc:
>> ------------------------------
>> /sbin/dev_irq_set
>> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
>> /sbin/dev_irq_fix
>> -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
>>
>>
>> 2. dev_manage.te
>> ------------------------------
>> module dev_manage 1.0;
>>
>> type dev_manage_t;
>>
>> require {
>> type bin_t;
>> type sysctl_irq_t;
>>
>> class file { search read write getattr open };
>> class dir { search read write getattr open };
>> }
>>
>> allow dev_manage_t sysctl_irq_t:file { search read write getattr open
>> };
>> allow dev_manage_t sysctl_irq_t:dir { search read write getattr open
>> };
>>
>> Can anyone please point me to the right direction? I tried using
>> exiting .te files as reference (E.g. irabalance.te) but it didn't
>> help
>> much.
>
> You need to define a domain type (for the process) and a file type (for
> the executable file). Using an existing .te file is often a good way
> to go
I tried looking up the existing irqbalance te file, but it didn't help.
Do you have any good / relevant examples?
> , or you could try using sepolicy generate. Is your script run as
> a service or by an admin user? That affects what domain transitions
> you need to set up for it.
The script is run both by root and by systemd.
- Gilboa
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
