Bug 807855

Summary: Please add support for our new tuned 2.0
Product: [Fedora] Fedora Reporter: Jaroslav Škarvada <jskarvad>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, jkaluza, jvcelak, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-110.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-04 21:10:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jaroslav Škarvada 2012-03-28 22:53:17 UTC 
Description of problem:
Please add support for our new tuned 2.0. Tuned 2.0 is evolution of our tuned tool.

Description:
It is tool for static/dynamic tuning of system according to selected profile and current runtime state of system.

Currently it stores config and user profiles into:
/etc/tuned/

example:
/etc/tuned/active_profile

example user provided profile (user_powersave)
/etc/tuned/user_powersave/tuned.conf
/etc/tuned/user_powersave/script.sh (could be arbitrary name)

Distribution profiles are stored (there are several profiles) under:
/usr/lib/tuned

example distribution provided profile (powersave profile):
/usr/lib/tuned/powersave/tuned.conf
/usr/lib/tuned/powersave/script.sh

It logs to:
/var/log/tuned.log

It store runtime data to files under:
/var/run/tuned

Currently each script.sh is run from tuned and do various tunings (mostly read/writes sysfs and runs various other tools like iwpriv) and read/writes runtime data from/to /var/run/tuned.

Some AVCs observed during normal operation:
type=AVC msg=audit(1332972553.563:678): avc:  denied  { signal } for  pid=3759 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=process
type=SYSCALL msg=audit(1332972553.563:678): arch=c000003e syscall=62 success=yes exit=0 a0=ead a1=a a2=0 a3=7fff6c47e170 items=0 ppid=1 pid=3759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=SERVICE_START msg=audit(1332972553.577:679): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1332972553.586:680): avc:  denied  { read } for  pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1332972553.586:680): avc:  denied  { open } for  pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1332972553.586:680): arch=c000003e syscall=2 success=yes exit=4 a0=7f92e400c970 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972553.587:681): avc:  denied  { getattr } for  pid=3761 comm="tuned" path="/var/run/tuned/save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1332972553.587:681): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7f92e91aa840 a2=7f92e91aa840 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972553.592:682): avc:  denied  { write } for  pid=3761 comm="tuned" name="active_profile" dev="dm-1" ino=264296 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1332972553.592:682): arch=c000003e syscall=2 success=yes exit=8 a0=7f92e40092e0 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972676.389:683): avc:  denied  { unlink } for  pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1332972676.389:683): arch=c000003e syscall=87 success=yes exit=0 a0=7f92e400a2d0 a1=1 a2=7f92f6cb25c8 a3=6e75722f7261762f items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972686.921:684): avc:  denied  { write } for  pid=3869 comm="ethtool" path="/dev/cpu_dma_latency" dev="devtmpfs" ino=7474 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1332972686.921:684): arch=c000003e syscall=59 success=yes exit=0 a0=7f92e4064630 a1=7f92e4014a40 a2=7fff6c47eb48 a3=20 items=0 ppid=3759 pid=3869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1332972686.961:685): avc:  denied  { execute_no_trans } for  pid=3875 comm="tuned" path="/usr/lib/tuned/powersave/script.sh" dev="dm-1" ino=2627560 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1332972686.961:685): arch=c000003e syscall=59 success=yes exit=0 a0=7f92e4062080 a1=7f92e4014a40 a2=7fff6c47eb48 a3=7f92e99ac1a0 items=0 ppid=3759 pid=3875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="script.sh" exe="/bin/bash" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.008:686): avc:  denied  { getattr } for  pid=3879 comm="ls" path="/dev/sda" dev="devtmpfs" ino=7477 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1332972687.008:686): arch=c000003e syscall=6 success=yes exit=0 a0=7fffc878df29 a1=f200e0 a2=f200e0 a3=7fffc878bbe0 items=0 ppid=3878 pid=3879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.081:687): avc:  denied  { create } for  pid=3901 comm="iwpriv" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1332972687.081:687): arch=c000003e syscall=41 success=yes exit=5 a0=2 a1=2 a2=0 a3=7fff05843270 items=0 ppid=3875 pid=3901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iwpriv" exe="/sbin/iwpriv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.081:688): avc:  denied  { ioctl } for  pid=3901 comm="iwpriv" path="socket:[45800]" dev="sockfs" ino=45800 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1332972687.081:688): arch=c000003e syscall=16 success=no exit=-95 a0=5 a1=8b0d a2=7fff05843490 a3=7fff05843220 items=0 ppid=3875 pid=3901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iwpriv" exe="/sbin/iwpriv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.099:689): avc:  denied  { search } for  pid=3907 comm="sysctl" name="vm" dev="proc" ino=45804 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
type=AVC msg=audit(1332972687.099:689): avc:  denied  { getattr } for  pid=3907 comm="sysctl" path="/proc/sys/vm/dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.099:689): arch=c000003e syscall=4 success=yes exit=0 a0=250d010 a1=7fff83670a20 a2=7fff83670a20 a3=7fff836707b0 items=0 ppid=3759 pid=3907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.100:690): avc:  denied  { read } for  pid=3907 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=AVC msg=audit(1332972687.100:690): avc:  denied  { open } for  pid=3907 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.100:690): arch=c000003e syscall=2 success=yes exit=5 a0=250d010 a1=0 a2=1b6 a3=238 items=0 ppid=3759 pid=3907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.102:691): avc:  denied  { write } for  pid=3910 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.102:691): arch=c000003e syscall=2 success=yes exit=5 a0=12fe010 a1=241 a2=1b6 a3=238 items=0 ppid=3759 pid=3910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.107:692): avc:  denied  { search } for  pid=3913 comm="sysctl" name="kernel" dev="proc" ino=15336 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1332972687.107:692): avc:  denied  { getattr } for  pid=3913 comm="sysctl" path="/proc/sys/kernel/nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.107:692): arch=c000003e syscall=4 success=yes exit=0 a0=a08010 a1=7fff098e8780 a2=7fff098e8780 a3=7fff098e8510 items=0 ppid=3759 pid=3913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.107:693): avc:  denied  { read } for  pid=3913 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=AVC msg=audit(1332972687.107:693): avc:  denied  { open } for  pid=3913 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.107:693): arch=c000003e syscall=2 success=yes exit=5 a0=a08010 a1=0 a2=1b6 a3=238 items=0 ppid=3759 pid=3913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.110:694): avc:  denied  { write } for  pid=3914 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.110:694): arch=c000003e syscall=2 success=yes exit=5 a0=22d0010 a1=241 a2=1b6 a3=238 items=0 ppid=3759 pid=3914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1332972764.647:695): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
Comment 1 Miroslav Grepl 2012-03-29 06:54:58 UTC 
What is tuned writing to /etc/tuned/ ?

Is the /usr/lib/tuned/ dir only for shell scirpts and configs? Does tuned write to this directory?
Comment 2 Jan Kaluža 2012-03-29 07:13:39 UTC 
(In reply to comment #1)
> What is tuned writing to /etc/tuned/ ?

It writes there current active profile (/etc/tuned/active_profile).

> Is the /usr/lib/tuned/ dir only for shell scirpts and configs? Does tuned write
> to this directory?

There are default profiles in the same format as in /etc/tuned and everyting there is supposed to be read-only from tuned perspective.
Comment 3 Miroslav Grepl 2012-03-29 08:19:29 UTC 
So it writes only /etc/tuned/active_profile, right?
Comment 4 Jan Kaluža 2012-03-29 09:08:05 UTC 
If we're talking about /etc/*, then yes, only to /etc/tuned/active_profile.
Comment 5 Miroslav Grepl 2012-03-29 10:43:15 UTC 
I added fixes to F17.
Comment 6 Fedora Update System 2012-04-03 07:44:06 UTC 
selinux-policy-3.10.0-110.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-110.fc17
Comment 7 Fedora Update System 2012-04-04 21:10:55 UTC 
selinux-policy-3.10.0-110.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.