On Mon, Jan 9, 2017 at 11:54 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > Hello,
> >
> > Sorry for the late reply. Was AFK for a couple of days.
> > The script is used to attach certain network device IRQ to specific
> > CPUs using 'echo XXXX > /proc/irq/XXX/smp_affinity'.
>
> The only scenario where we would expect to see that denial is if
> /proc/irq/XXX/smp_affinity did not exist and it tried to create it as a
> result. No point in allowing that; it can't be done anyway.
The IRQ entries are valid, so does smp_affinity.
If the IRQ management script is called from a root console, I get no denials.
If the IRQ management script is called by a systemd service, I get denials.
The denial message is:
"type=AVC msg=audit(1483384972.624:3669): avc: denied { associate }
for pid=10271 comm="ipp_start" name="smp_affinity"
scontext=system_u:object_r:sysctl_irq_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0"
ipp_start label is unconfined_u:object_r:bin_t:s0.
I was planning to write a policy file, as I assumed it was intentional
systemd-related-policy. Am I wrong?
- Gilboa
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
