The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.
Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata
V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces
Signed-off-by: Dominick Grift <dac.override@gmail.com>
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.
Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903
AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc: denied { write } for pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
In this case new filesystem "cgroup2" need to be labeled as cgroup_t.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
When a device gets removed, for example with "cryptsetup close",
kdevtmpfs (a kernel thread) removes its entry from devtmpfs filesystem:
avc: denied { unlink } for pid=48 comm="kdevtmpfs"
name="dm-4" dev="devtmpfs" ino=144111
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
Allow this access on systems using systemd.
On Arch Linux, /usr/lib/gvfs directory contains both executable files
(gvfsd, gvfs-udisks2-volume-monitor...) and libraries (libgvfscommon.so
and libgvfsdaemon.so). As all executable files are prefixed with
"gfvs", so use this to distinguish them with the libraries.
This fixes the following AVC denials, reported from geoclue service
using a library wrongly labelled bin_t:
avc: denied { read } for pid=14872 comm="geoclue"
name="libgvfscommon.so" dev="dm-0" ino=3152594
scontext=system_u:system_r:geoclue_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1
avc: denied { open } for pid=14872 comm="geoclue"
path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
scontext=system_u:system_r:geoclue_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1
avc: denied { execute } for pid=14872 comm="geoclue"
path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
scontext=system_u:system_r:geoclue_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1
It is used by system-config-printer, as shown by these AVC denials:
avc: denied { execute } for pid=1061 comm="system-config-p"
name="applet.py" dev="dm-0" ino=9568316
scontext=sysadm_u:sysadm_r:sysadm_t tcontext=system_u:object_r:usr_t
tclass=file permissive=1
avc: denied { execute_no_trans } for pid=1061
comm="system-config-p"
path="/usr/share/system-config-printer/applet.py" dev="dm-0"
ino=9568316 scontext=sysadm_u:sysadm_r:sysadm_t
tcontext=system_u:object_r:usr_t tclass=file permissive=1
When ifdef systemd is enabled, some interfaces from systemd are called
unconditionally. This makes migrating from non-systemd to systemd
complicated since init is part of base and systemd is not so loading
fails. Moving them into optional_policy fixes this.
It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)
selinux_lxc_contexts_path() function in upstream libselinux points to
this config file. It is ATM used by libvirt.
The file from Fedora also contains sandbox_lxc_process and
sandbox_kvm_process parameters, but I cannot find where they are used,
keep them out of the file for the time being.
