On Mon, Jan 9, 2017 at 11:54 PM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
> Hello,
>
> Sorry for the late reply. Was AFK for a couple of days.
> The script is used to attach certain network device IRQ to specific
> CPUs using 'echo XXXX > /proc/irq/XXX/smp_affinity'.
The only scenario where we would expect to see that denial is if
/proc/irq/XXX/smp_affinity did not exist and it tried to create it as a
result. No point in allowing that; it can't be done anyway.
The IRQ entries are valid, so does smp_affinity.
If the IRQ management script is called from a root console, I get no denials.
If the IRQ management script is called by a systemd service, I get denials.
The denial message is:
"type=AVC msg=audit(1483384972.624:3669): avc: denied { associate }
for pid=10271 comm="ipp_start" name="smp_affinity"
scontext=system_u:object_r:sysctl_irq_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0"
ipp_start label is unconfined_u:object_r:bin_t:s0.
I was planning to write a policy file, as I assumed it was intentional
systemd-related-policy. Am I wrong?
- Gilboa