Description of problem: Please add support for our new tuned 2.0. Tuned 2.0 is evolution of our tuned tool. Description: It is tool for static/dynamic tuning of system according to selected profile and current runtime state of system. Currently it stores config and user profiles into: /etc/tuned/ example: /etc/tuned/active_profile example user provided profile (user_powersave) /etc/tuned/user_powersave/tuned.conf /etc/tuned/user_powersave/script.sh (could be arbitrary name) Distribution profiles are stored (there are several profiles) under: /usr/lib/tuned example distribution provided profile (powersave profile): /usr/lib/tuned/powersave/tuned.conf /usr/lib/tuned/powersave/script.sh It logs to: /var/log/tuned.log It store runtime data to files under: /var/run/tuned Currently each script.sh is run from tuned and do various tunings (mostly read/writes sysfs and runs various other tools like iwpriv) and read/writes runtime data from/to /var/run/tuned. Some AVCs observed during normal operation: type=AVC msg=audit(1332972553.563:678): avc: denied { signal } for pid=3759 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=process type=SYSCALL msg=audit(1332972553.563:678): arch=c000003e syscall=62 success=yes exit=0 a0=ead a1=a a2=0 a3=7fff6c47e170 items=0 ppid=1 pid=3759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null) type=SERVICE_START msg=audit(1332972553.577:679): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1332972553.586:680): avc: denied { read } for pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1332972553.586:680): avc: denied { open } for pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1332972553.586:680): arch=c000003e syscall=2 success=yes exit=4 a0=7f92e400c970 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972553.587:681): avc: denied { getattr } for pid=3761 comm="tuned" path="/var/run/tuned/save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1332972553.587:681): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7f92e91aa840 a2=7f92e91aa840 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972553.592:682): avc: denied { write } for pid=3761 comm="tuned" name="active_profile" dev="dm-1" ino=264296 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1332972553.592:682): arch=c000003e syscall=2 success=yes exit=8 a0=7f92e40092e0 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972676.389:683): avc: denied { unlink } for pid=3761 comm="tuned" name="save.pickle" dev="tmpfs" ino=42602 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1332972676.389:683): arch=c000003e syscall=87 success=yes exit=0 a0=7f92e400a2d0 a1=1 a2=7f92f6cb25c8 a3=6e75722f7261762f items=0 ppid=1 pid=3761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972686.921:684): avc: denied { write } for pid=3869 comm="ethtool" path="/dev/cpu_dma_latency" dev="devtmpfs" ino=7474 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1332972686.921:684): arch=c000003e syscall=59 success=yes exit=0 a0=7f92e4064630 a1=7f92e4014a40 a2=7fff6c47eb48 a3=20 items=0 ppid=3759 pid=3869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ethtool" exe="/sbin/ethtool" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1332972686.961:685): avc: denied { execute_no_trans } for pid=3875 comm="tuned" path="/usr/lib/tuned/powersave/script.sh" dev="dm-1" ino=2627560 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1332972686.961:685): arch=c000003e syscall=59 success=yes exit=0 a0=7f92e4062080 a1=7f92e4014a40 a2=7fff6c47eb48 a3=7f92e99ac1a0 items=0 ppid=3759 pid=3875 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="script.sh" exe="/bin/bash" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.008:686): avc: denied { getattr } for pid=3879 comm="ls" path="/dev/sda" dev="devtmpfs" ino=7477 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1332972687.008:686): arch=c000003e syscall=6 success=yes exit=0 a0=7fffc878df29 a1=f200e0 a2=f200e0 a3=7fffc878bbe0 items=0 ppid=3878 pid=3879 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.081:687): avc: denied { create } for pid=3901 comm="iwpriv" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1332972687.081:687): arch=c000003e syscall=41 success=yes exit=5 a0=2 a1=2 a2=0 a3=7fff05843270 items=0 ppid=3875 pid=3901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iwpriv" exe="/sbin/iwpriv" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.081:688): avc: denied { ioctl } for pid=3901 comm="iwpriv" path="socket:[45800]" dev="sockfs" ino=45800 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1332972687.081:688): arch=c000003e syscall=16 success=no exit=-95 a0=5 a1=8b0d a2=7fff05843490 a3=7fff05843220 items=0 ppid=3875 pid=3901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iwpriv" exe="/sbin/iwpriv" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.099:689): avc: denied { search } for pid=3907 comm="sysctl" name="vm" dev="proc" ino=45804 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir type=AVC msg=audit(1332972687.099:689): avc: denied { getattr } for pid=3907 comm="sysctl" path="/proc/sys/vm/dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file type=SYSCALL msg=audit(1332972687.099:689): arch=c000003e syscall=4 success=yes exit=0 a0=250d010 a1=7fff83670a20 a2=7fff83670a20 a3=7fff836707b0 items=0 ppid=3759 pid=3907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.100:690): avc: denied { read } for pid=3907 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file type=AVC msg=audit(1332972687.100:690): avc: denied { open } for pid=3907 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file type=SYSCALL msg=audit(1332972687.100:690): arch=c000003e syscall=2 success=yes exit=5 a0=250d010 a1=0 a2=1b6 a3=238 items=0 ppid=3759 pid=3907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.102:691): avc: denied { write } for pid=3910 comm="sysctl" name="dirty_writeback_centisecs" dev="proc" ino=45805 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file type=SYSCALL msg=audit(1332972687.102:691): arch=c000003e syscall=2 success=yes exit=5 a0=12fe010 a1=241 a2=1b6 a3=238 items=0 ppid=3759 pid=3910 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.107:692): avc: denied { search } for pid=3913 comm="sysctl" name="kernel" dev="proc" ino=15336 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=AVC msg=audit(1332972687.107:692): avc: denied { getattr } for pid=3913 comm="sysctl" path="/proc/sys/kernel/nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=SYSCALL msg=audit(1332972687.107:692): arch=c000003e syscall=4 success=yes exit=0 a0=a08010 a1=7fff098e8780 a2=7fff098e8780 a3=7fff098e8510 items=0 ppid=3759 pid=3913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.107:693): avc: denied { read } for pid=3913 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(1332972687.107:693): avc: denied { open } for pid=3913 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=SYSCALL msg=audit(1332972687.107:693): arch=c000003e syscall=2 success=yes exit=5 a0=a08010 a1=0 a2=1b6 a3=238 items=0 ppid=3759 pid=3913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null) type=AVC msg=audit(1332972687.110:694): avc: denied { write } for pid=3914 comm="sysctl" name="nmi_watchdog" dev="proc" ino=45818 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=SYSCALL msg=audit(1332972687.110:694): arch=c000003e syscall=2 success=yes exit=5 a0=22d0010 a1=241 a2=1b6 a3=238 items=0 ppid=3759 pid=3914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysctl" exe="/sbin/sysctl" subj=system_u:system_r:tuned_t:s0 key=(null) type=SERVICE_STOP msg=audit(1332972764.647:695): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
What is tuned writing to /etc/tuned/ ? Is the /usr/lib/tuned/ dir only for shell scirpts and configs? Does tuned write to this directory?
(In reply to comment #1) > What is tuned writing to /etc/tuned/ ? It writes there current active profile (/etc/tuned/active_profile). > Is the /usr/lib/tuned/ dir only for shell scirpts and configs? Does tuned write > to this directory? There are default profiles in the same format as in /etc/tuned and everyting there is supposed to be read-only from tuned perspective.
So it writes only /etc/tuned/active_profile, right?
If we're talking about /etc/*, then yes, only to /etc/tuned/active_profile.
I added fixes to F17.
selinux-policy-3.10.0-110.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-110.fc17
selinux-policy-3.10.0-110.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.