On Sat, 2016-12-24 at 12:04 +0200, Gilboa Davara wrote:
On Wed, Dec 21, 2016 at 10:10 PM, Stephen Smalley
<sds(a)tycho.nsa.gov>
wrote:
>
> On Sun, 2016-12-18 at 21:11 +0200, Gilboa Davara wrote:
> >
> > Hello all,
> >
> > I've got a script that sets the network device IRQ CPU affinity.
> > (irqbalance without the balance...).
> > Due to changes to /proc/irq/XXX/* SELinux targeted policy (?)
> > this
> > script no longer works.
> >
> > - avc message:: avc: denied { associate } for pid=234250
> > comm="dev_irq_fix" name="smp_affinity"
> > scontext=unconfined_u:object_r:sysctl_irq_t:s0
> > tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
> > permissive=0
> >
> > - audit2allow:
> > allow sysctl_irq_t proc_t:filesystem associate;
>
> filesystem associate permission is only check for:
> - mount with context= option,
> - file creation,
> - relabeling of a file.
>
> None of those make sense for /proc/irq/* files AFAIK.
>
> What is your script doing to trigger this denial?
> /proc files are kernel-generated pseudo files, so they aren't files
> that userspace would be creating or relabeling.
Hello,
Sorry for the late reply. Was AFK for a couple of days.
The script is used to attach certain network device IRQ to specific
CPUs using 'echo XXXX > /proc/irq/XXX/smp_affinity'.
The only scenario where we would expect to see that denial is if
/proc/irq/XXX/smp_affinity did not exist and it tried to create it as a
result. No point in allowing that; it can't be done anyway.