On Tue, Jan 17, 2017 at 7:11 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Tue, 2017-01-17 at 18:39 +0200, Gilboa Davara wrote:
>> On Mon, Jan 9, 2017 at 11:54 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
>> wrote:
>> >
>> > >
>> > > Hello,
>> > >
>> > > Sorry for the late reply. Was AFK for a couple of days.
>> > > The script is used to attach certain network device IRQ to
>> > > specific
>> > > CPUs using 'echo XXXX > /proc/irq/XXX/smp_affinity'.
>> >
>> > The only scenario where we would expect to see that denial is if
>> > /proc/irq/XXX/smp_affinity did not exist and it tried to create it
>> > as a
>> > result. No point in allowing that; it can't be done anyway.
>>
>> The IRQ entries are valid, so does smp_affinity.
>> If the IRQ management script is called from a root console, I get no
>> denials.
>> If the IRQ management script is called by a systemd service, I get
>> denials.
>>
>> The denial message is:
>> "type=AVC msg=audit(1483384972.624:3669): avc: denied { associate }
>> for pid=10271 comm="ipp_start" name="smp_affinity"
>> scontext=system_u:object_r:sysctl_irq_t:s0
>> tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0"
>> ipp_start label is unconfined_u:object_r:bin_t:s0.
>>
>> I was planning to write a policy file, as I assumed it was
>> intentional
>> systemd-related-policy. Am I wrong?
>
> There is no benefit in allowing it in policy; you can't create files
> there. You can dontaudit it if you want to suppress the log noise.
>
>
Hello Stephen,
Thanks again for taking the time to answer me questions. I appreciate
the effort.
The log message are annoying but not the main issue, the main problem
that SELinux seems to block my script from configuring smp_affinity
from within a systemd service.
I'll be eternally grateful if you can point me at the right direction
how to give my script the SELinux attributes required to configure
smp_affinity from a systemd service domain.
- Gilboa
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
