The sys-apps/irqbalance package does not want to function out of the box in a full enforcing selinux environment. The pieces are there - the package just needs a little TLC. Basically, there is no selinux use flag. This means the sec-policy/selinux-irqbalance policy package does not get installed, so currently this is a manual process. Reproducible: Always Steps to Reproduce: 1. Have "selinux" in the use flags. 2. Build irqbalance. 3. You don't get the policy. Actual Results: A bunch of denials in the avc log due to no policy. Expected Results: No denials. I am doing a full selinux enforcing build on gentoo, managed by puppet. I'm running into a bunch of little issues and will be reporting as I find them and confirm they are bugs rather than "user error".
Is it sufficient to have selinux-irqbalance as a dep for irqbalance? Or are there any additional requirements to get it working?
The existing policy file works perfect for irqbalance. I have zero entries in my avc log relating to this, so adding the policy as a dep would solve this perfectly. There's a few others that have this (easy to solve) issue. I'll file bugs when I get back around to going through my avc log / puppet manifest to get the corner cases sorted out.
Created attachment 388176 [details] irqbalance ebuild with selinux use flag Here, how about this? It has the appropriate use flag + rdep, and when setup in my local overlay it works happily.
The ebuild you suggested also enables the dependency in DEPEND (as you have DEPEND="${RDEPEND} in it), which shouldn't be the case. @base-system herd, would it be possible to add in the following to the irqbalance package? IUSE="selinux" RDEPEND="selinux? ( sec-policy/selinux-irqbalance )" I can do it for you (with revbump) if you don't have anything in the queue; otherwise this can wait a bit if you think you're going to bump anyway soonish. Index: irqbalance-1.0.7.ebuild =================================================================== RCS file: /var/cvsroot/gentoo-x86/sys-apps/irqbalance/irqbalance-1.0.7.ebuild,v retrieving revision 1.1 diff -u -B -r1.1 irqbalance-1.0.7.ebuild --- irqbalance-1.0.7.ebuild 19 Mar 2014 16:58:31 -0000 1.1 +++ irqbalance-1.0.7.ebuild 2 Nov 2014 14:26:13 -0000 @@ -15,13 +15,16 @@ LICENSE="GPL-2" SLOT="0" KEYWORDS="~amd64 ~ppc ~x86" -IUSE="caps +numa" +IUSE="caps +numa selinux" -RDEPEND="dev-libs/glib:2 +CDEPEND="dev-libs/glib:2 caps? ( sys-libs/libcap-ng ) numa? ( sys-process/numactl )" -DEPEND="${RDEPEND} +DEPEND="${CDEPEND} virtual/pkgconfig" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-irqbalance ) +" pkg_setup() { CONFIG_CHECK="~PCI_MSI"
(In reply to Sven Vermeulen from comment #4) feel free to fix
Okay, irqbalance-1.0.7-r1 has the dependency in it (~arch for now)
Just pulled irqbalance out of the local overlay, did a sync, removed irqbalance and its' policy, then tried to reinstall: (I run on ~arch by default, for better or worse) # emerge irqbalance -av These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] sec-policy/selinux-base-2.20140311-r7 [2.20140311-r6] USE="open_perms peer_perms ubac unconfined -doc" 279 KiB [ebuild U ] sec-policy/selinux-base-policy-2.20140311-r7 [2.20140311-r6] USE="unconfined" 0 KiB [ebuild N ] sec-policy/selinux-irqbalance-2.20140311-r7 0 KiB [ebuild N ] sys-apps/irqbalance-1.0.7-r1 USE="caps numa (selinux)" 0 KiB The new ebuild worked fine from my point of view, less any issues relating to my policy development (selinux-base-policy does not like that!).
