From: dac.override@gmail.com (Dominick Grift) Date: Thu, 28 Apr 2016 10:56:11 +0200 Subject: [refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc In-Reply-To: References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com> <1461770515-13153-1-git-send-email-grzegorz.andrejczuk@intel.com> <2d0095f1-84c0-35dc-5258-61445dc7653e@gmail.com> Message-ID: <0e3757b0-288f-c65a-73a3-db39c203c5c3@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/28/2016 10:24 AM, Andrejczuk, Grzegorz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> On 04/27/2016 05:21 PM, gandrejc wrote: >>> The Portable Hardware Locality (hwloc) software package >>> provides a portable abstraction (across OS, versions, >>> architectures, ...) of the hierarchical topology of modern >>> architectures, including NUMA memory nodes, sockets, shared >>> caches, cores and simultaneous multithreading. It also gathers >>> various system attributes such as cache and memory information >>> as well as the locality of I/O devices such as network >>> interfaces, InfiniBand HCAs or GPUs. >> > >> grzegorz, I imagine that by now you may be a little confused by >> this discussion. Therefore I am willing to create a new patch >> with some of the considerations mentioned > in this threat >> applied. > >> I would need some information though that i cannot find myself. >> Your policy implies that hwloc-dhwd can be run as a system >> service. However the system service > > > > initscript and/or >> service unit is not taken into consideration. what is the exact >> location of this script? Once I know that , then i can redo the >> patch with that part taken into account and hopefully take away >> the remaining concerns. > > We support system only, unit file is hwloc-dump-hwdata.service is > installed to default systemd unit location (on RedHat > /usr/lib/systemd/system). The unit file looks like this: [Unit] > Description=Dump hardware topology and locality information to > /var/run/hwloc > > [Service] Type=oneshot RemainAfterExit=yes > ExecStart=/usr/sbin/hwloc-dump-hwdata -o /var/run/hwloc > ExecStop=/usr/bin/rm -rf /var/run/hwloc > Okay, thanks. I will see if i can whip another patch up today. By the way that ExecStop= is generally not such a good idea. Is that really required? Does it not just overwrite the files in there when you restart the service? systemd will usually run generic coreutils like rm with a domain transition to the initrc_t domain. That means that initrc_t would need to be able to rm /var/run/hwloc. This is sub-optimal. Its bad enough that ExecStop is often used for kill $MAINPID with system d. > [Install] WantedBy=multi-user.target > > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D > 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 > > iQGcBAEBCAAGBQJXIRA6AAoJECV0jlU3+Udpm+gL/iXpQhK0Vknb9U5jyzCQ4FhH > nzOvD2yfZhgVHdNt+D//OZ45fcZsyGFy1V4JPUpS703csgCzYzbTyvKq6rF0Wc3O > TYZixv1WKx8l35SAN5nKvFBvv9b+WPcbxT4Rm6pzXUcH+TVJdi1inOpOqQ1dNF30 > rruZEBkkOwW2wLyHa/W2APDD0iBG5M9roBL5NjN54H215J3iugt2lh+aJIFXhClZ > JeMUTE10UAL2TvZiuNPmsDjmzsKfOZg0VrDuE4hYYlAvNz4CotZye/PX1izlZvVc > oPn0kaCHfLoRR9Z1UiR4nLH+lzawUOLsoiskofo2cARxRU6MYy2u7OYFWVopDx46 > +02/v7LgPVCHrBmJhLd4E5aBh2H2Y+QeomTHPYgg+uGOyW3oSEzoMubhciKOqGcZ > n58ZCYsFnQmBNC9IGd1yLfJN4V+SOPEYKxHT2k2bvabNQFeZ4MXLp0Xl1FzrsRaI > V9BrlYGOTQg5t5uBZmnWzDhs8KtTTJCoPEdbvDDAHA== =6m1E -----END PGP > SIGNATURE----- > -------------------------------------------------------------------- > > Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298 > Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy > Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | > Kapital zakladowy 200.000 PLN. > > Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego > adresata i moze zawierac informacje poufne. W razie przypadkowego > otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz > trwale jej usuniecie; jakiekolwiek przegladanie lub > rozpowszechnianie jest zabronione. This e-mail and any attachments > may contain confidential material for the sole use of the intended > recipient(s). If you are not the intended recipient, please contact > the sender and delete all copies; any review or distribution by > others is strictly prohibited. > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJXIdAnAAoJECV0jlU3+UdpmHEL/ArdwLHT8BzWFn5dA+Y1025O y9cvZDsmlbS6+oI+8ZupQVSNZWj98n81L8X8hRcMtpf5hdIl5juXnY5+umwRigPd xaDEnD027hggzyrQHmvy6ZE6ecdQNc3sHYx7M0Jw4d/sQHTZNWFoB7fj363SHgZ2 76uK1qJZMCT6i+opFpocg3Fea5KaVGYG501xk/G6yTX7+qiYNdYPWsj7bovAxdxD tqd722IxEKYMwuVSvkIBZaHRxWfDKFlY5d5GzHA5S6JwN0AB4KyD6btcjB0U4Fhp fL7zK/X4UEGrYCwW8aYuDgNNz6aawjQFKF16oGxeqvodV6j6uekhk2h+SldpkD2w eyQVDaCrjzyjHTAhESav2uOGVkOrYk+I2metlVhiFIDNXZ7UFKFk1Y0gvmecm7jg EMMryZVNKpDkDpvI7cCmtW24gZl4ZT05o7SyVSgLuwKdB0EO3//Hpl+lV0MGOuWA CkVb2Mc9tX4ZlPMB9Pp4HIchEoerY6i4pF0LzqyHGg== =reqL -----END PGP SIGNATURE-----