807855 – Please add support for our new tuned 2.0

Bug 807855 - Please add support for our new tuned 2.0

Summary: Please add support for our new tuned 2.0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-28 22:53 UTC by Jaroslav Škarvada
Modified:	2012-04-04 21:10 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.10.0-110.fc17
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-04 21:10:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jaroslav Škarvada 2012-03-28 22:53:17 UTC

Description of problem:
Please add support for our new tuned 2.0. Tuned 2.0 is evolution of our tuned tool.

Description:
It is tool for static/dynamic tuning of system according to selected profile and current runtime state of system.

Currently it stores config and user profiles into:
/etc/tuned/

example:
/etc/tuned/active_profile

example user provided profile (user_powersave)
/etc/tuned/user_powersave/tuned.conf
/etc/tuned/user_powersave/script.sh (could be arbitrary name)

Distribution profiles are stored (there are several profiles) under:
/usr/lib/tuned

example distribution provided profile (powersave profile):
/usr/lib/tuned/powersave/tuned.conf
/usr/lib/tuned/powersave/script.sh

It logs to:
/var/log/tuned.log

It store runtime data to files under:
/var/run/tuned

Currently each script.sh is run from tuned and do various tunings (mostly read/writes sysfs and runs various other tools like iwpriv) and read/writes runtime data from/to /var/run/tuned.

Some AVCs observed during normal operation:
type=AVC msg=audit(1332972553.563:678): avc:  denied  { signal } for  pid=3759 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=process
type=SYSCALL msg=audit(1332972553.563:678): arch=c000003e syscall=62 success=yes exit=0 a0=ead a1=a a2=0 a3=7fff6c47e170 items=0 ppid=1 pid=3759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=SERVICE_START msg=audit(1332972553.577:679): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1332972553.586:680): avc:  denied  { read } for  pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1332972553.586:680): avc:  denied  { open } for  pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1332972553.586:680): arch=c000003e syscall=2 success=yes exit=4 a0=7f92e400c970 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972553.587:681): avc:  denied  { getattr } for  pid=3761 comm="tuned" path="/var/run/tuned/save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1332972553.587:681): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7f92e91aa840 a2=7f92e91aa840 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972553.592:682): avc:  denied  { write } for  pid=3761 comm="tuned" name="active_profile" dev="dm-1" ino=264296 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1332972553.592:682): arch=c000003e syscall=2 success=yes exit=8 a0=7f92e40092e0 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972676.389:683): avc:  denied  { unlink } for  pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1332972676.389:683): arch=c000003e syscall=87 success=yes exit=0 a0=7f92e400a2d0 a1=1 a2=7f92f6cb25c8 a3=6e75722f7261762f items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972686.921:684): avc:  denied  { write } for  pid=3869 comm="ethtool" path="/dev/cpu_dma_latency" dev="devtmpfs" ino=7474 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1332972686.921:684): arch=c000003e syscall=59 success=yes exit=0 a0=7f92e4064630 a1=7f92e4014a40 a2=7fff6c47eb48 a3=20 items=0 ppid=3759 pid=3869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1332972686.961:685): avc:  denied  { execute_no_trans } for  pid=3875 comm="tuned" path="/usr/lib/tuned/powersave/script.sh" dev="dm-1" ino=2627560 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1332972686.961:685): arch=c000003e syscall=59 success=yes exit=0 a0=7f92e4062080 a1=7f92e4014a40 a2=7fff6c47eb48 a3=7f92e99ac1a0 items=0 ppid=3759 pid=3875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="script.sh" exe="/bin/bash" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.008:686): avc:  denied  { getattr } for  pid=3879 comm="ls" path="/dev/sda" dev="devtmpfs" ino=7477 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1332972687.008:686): arch=c000003e syscall=6 success=yes exit=0 a0=7fffc878df29 a1=f200e0 a2=f200e0 a3=7fffc878bbe0 items=0 ppid=3878 pid=3879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.081:687): avc:  denied  { create } for  pid=3901 comm="iwpriv" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1332972687.081:687): arch=c000003e syscall=41 success=yes exit=5 a0=2 a1=2 a2=0 a3=7fff05843270 items=0 ppid=3875 pid=3901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iwpriv" exe="/sbin/iwpriv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.081:688): avc:  denied  { ioctl } for  pid=3901 comm="iwpriv" path="socket:[45800]" dev="sockfs" ino=45800 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1332972687.081:688): arch=c000003e syscall=16 success=no exit=-95 a0=5 a1=8b0d a2=7fff05843490 a3=7fff05843220 items=0 ppid=3875 pid=3901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iwpriv" exe="/sbin/iwpriv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.099:689): avc:  denied  { search } for  pid=3907 comm="sysctl" name="vm" dev="proc" ino=45804 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
type=AVC msg=audit(1332972687.099:689): avc:  denied  { getattr } for  pid=3907 comm="sysctl" path="/proc/sys/vm/dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.099:689): arch=c000003e syscall=4 success=yes exit=0 a0=250d010 a1=7fff83670a20 a2=7fff83670a20 a3=7fff836707b0 items=0 ppid=3759 pid=3907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.100:690): avc:  denied  { read } for  pid=3907 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=AVC msg=audit(1332972687.100:690): avc:  denied  { open } for  pid=3907 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.100:690): arch=c000003e syscall=2 success=yes exit=5 a0=250d010 a1=0 a2=1b6 a3=238 items=0 ppid=3759 pid=3907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.102:691): avc:  denied  { write } for  pid=3910 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.102:691): arch=c000003e syscall=2 success=yes exit=5 a0=12fe010 a1=241 a2=1b6 a3=238 items=0 ppid=3759 pid=3910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.107:692): avc:  denied  { search } for  pid=3913 comm="sysctl" name="kernel" dev="proc" ino=15336 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1332972687.107:692): avc:  denied  { getattr } for  pid=3913 comm="sysctl" path="/proc/sys/kernel/nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.107:692): arch=c000003e syscall=4 success=yes exit=0 a0=a08010 a1=7fff098e8780 a2=7fff098e8780 a3=7fff098e8510 items=0 ppid=3759 pid=3913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.107:693): avc:  denied  { read } for  pid=3913 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=AVC msg=audit(1332972687.107:693): avc:  denied  { open } for  pid=3913 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.107:693): arch=c000003e syscall=2 success=yes exit=5 a0=a08010 a1=0 a2=1b6 a3=238 items=0 ppid=3759 pid=3913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1332972687.110:694): avc:  denied  { write } for  pid=3914 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1332972687.110:694): arch=c000003e syscall=2 success=yes exit=5 a0=22d0010 a1=241 a2=1b6 a3=238 items=0 ppid=3759 pid=3914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1332972764.647:695): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'

Comment 1 Miroslav Grepl 2012-03-29 06:54:58 UTC

What is tuned writing to /etc/tuned/ ?

Is the /usr/lib/tuned/ dir only for shell scirpts and configs? Does tuned write to this directory?

Comment 2 Jan Kaluža 2012-03-29 07:13:39 UTC

(In reply to comment #1)
> What is tuned writing to /etc/tuned/ ?

It writes there current active profile (/etc/tuned/active_profile).

> Is the /usr/lib/tuned/ dir only for shell scirpts and configs? Does tuned write
> to this directory?

There are default profiles in the same format as in /etc/tuned and everyting there is supposed to be read-only from tuned perspective.

Comment 3 Miroslav Grepl 2012-03-29 08:19:29 UTC

So it writes only /etc/tuned/active_profile, right?

Comment 4 Jan Kaluža 2012-03-29 09:08:05 UTC

If we're talking about /etc/*, then yes, only to /etc/tuned/active_profile.

Comment 5 Miroslav Grepl 2012-03-29 10:43:15 UTC

I added fixes to F17.

Comment 6 Fedora Update System 2012-04-03 07:44:06 UTC

selinux-policy-3.10.0-110.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-110.fc17

Comment 7 Fedora Update System 2012-04-04 21:10:55 UTC

selinux-policy-3.10.0-110.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.