On Fri, 2017-01-20 at 13:07 +0200, Gilboa Davara wrote:
> On Tue, Jan 17, 2017 at 7:11 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> >
> > On Tue, 2017-01-17 at 18:39 +0200, Gilboa Davara wrote:
> > >
> > > On Mon, Jan 9, 2017 at 11:54 PM, Stephen Smalley <sds@xxxxxxxxx.g
> > > ov>
> > > wrote:
> > > >
> > > >
> > > > >
> > > > >
> > > > > Hello,
> > > > >
> > > > > Sorry for the late reply. Was AFK for a couple of days.
> > > > > The script is used to attach certain network device IRQ to
> > > > > specific
> > > > > CPUs using 'echo XXXX > /proc/irq/XXX/smp_affinity'.
> > > >
> > > > The only scenario where we would expect to see that denial is
> > > > if
> > > > /proc/irq/XXX/smp_affinity did not exist and it tried to create
> > > > it
> > > > as a
> > > > result. No point in allowing that; it can't be done anyway.
> > >
> > > The IRQ entries are valid, so does smp_affinity.
> > > If the IRQ management script is called from a root console, I get
> > > no
> > > denials.
> > > If the IRQ management script is called by a systemd service, I
> > > get
> > > denials.
> > >
> > > The denial message is:
> > > "type=AVC msg=audit(1483384972.624:3669): avc: denied {
> > > associate }
> > > for pid=10271 comm="ipp_start" name="smp_affinity"
> > > scontext=system_u:object_r:sysctl_irq_t:s0
> > > tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
> > > permissive=0"
> > > ipp_start label is unconfined_u:object_r:bin_t:s0.
> > >
> > > I was planning to write a policy file, as I assumed it was
> > > intentional
> > > systemd-related-policy. Am I wrong?
> >
> > There is no benefit in allowing it in policy; you can't create
> > files
> > there. You can dontaudit it if you want to suppress the log noise.
> >
> >
>
> Hello Stephen,
>
> Thanks again for taking the time to answer me questions. I appreciate
> the effort.
>
> The log message are annoying but not the main issue, the main problem
> that SELinux seems to block my script from configuring smp_affinity
> from within a systemd service.
> I'll be eternally grateful if you can point me at the right direction
> how to give my script the SELinux attributes required to configure
> smp_affinity from a systemd service domain.
What other avc denials are you getting? The one you've listed so far
isn't meaningful.
Have you confirmed that it works correctly if you make SELinux
permissive (i.e. is it truly SELinux that is preventing it from
working)?
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
