On Sat, 2016-12-24 at 12:04 +0200, Gilboa Davara wrote:
> On Wed, Dec 21, 2016 at 10:10 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> >
> > On Sun, 2016-12-18 at 21:11 +0200, Gilboa Davara wrote:
> > >
> > > Hello all,
> > >
> > > I've got a script that sets the network device IRQ CPU affinity.
> > > (irqbalance without the balance...).
> > > Due to changes to /proc/irq/XXX/* SELinux targeted policy (?)
> > > this
> > > script no longer works.
> > >
> > > - avc message:: avc: denied { associate } for pid=234250
> > > comm="dev_irq_fix" name="smp_affinity"
> > > scontext=unconfined_u:object_r:sysctl_irq_t:s0
> > > tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
> > > permissive=0
> > >
> > > - audit2allow:
> > > allow sysctl_irq_t proc_t:filesystem associate;
> >
> > filesystem associate permission is only check for:
> > - mount with context= option,
> > - file creation,
> > - relabeling of a file.
> >
> > None of those make sense for /proc/irq/* files AFAIK.
> >
> > What is your script doing to trigger this denial?
> > /proc files are kernel-generated pseudo files, so they aren't files
> > that userspace would be creating or relabeling.
>
>
> Hello,
>
> Sorry for the late reply. Was AFK for a couple of days.
> The script is used to attach certain network device IRQ to specific
> CPUs using 'echo XXXX > /proc/irq/XXX/smp_affinity'.
The only scenario where we would expect to see that denial is if
/proc/irq/XXX/smp_affinity did not exist and it tried to create it as a
result. No point in allowing that; it can't be done anyway.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
