Hello all,
I've got a script that sets the network device IRQ CPU affinity.
(irqbalance without the balance...).
Due to changes to /proc/irq/XXX/* SELinux targeted policy (?) this
script no longer works.
- avc message:: avc: denied { associate } for pid=234250
comm="dev_irq_fix" name="smp_affinity"
scontext=unconfined_u:object_r:sysctl_irq_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
- audit2allow:
allow sysctl_irq_t proc_t:filesystem associate;
As I appreciate the need of solid SELinux policy I rather label my
script correctly, as opposed to opening the sysctl_irq_t gate to
world+dog.
As such, I'd like to create a file label that *extends* the generic
bin_t label - lets call it dev_manage_t - and will be used to give a
certain set of scripts the ability to modify /proc/irq/XXX/
Now, I tried creating the following policy, and needless to say it
failed, miserably, when I tried to restorecon my script files (EPERM).
1. dev_manage.fc:
------------------------------
/sbin/dev_irq_set -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
/sbin/dev_irq_fix -- gen_context(unconfined_u:object_r:dev_manage_t,s0)
2. dev_manage.te
------------------------------
module dev_manage 1.0;
type dev_manage_t;
require {
type bin_t;
type sysctl_irq_t;
class file { search read write getattr open };
class dir { search read write getattr open };
}
allow dev_manage_t sysctl_irq_t:file { search read write getattr open };
allow dev_manage_t sysctl_irq_t:dir { search read write getattr open };
Can anyone please point me to the right direction? I tried using
exiting .te files as reference (E.g. irabalance.te) but it didn't help
much.
- Gilboa