From: grzegorz.andrejczuk@intel.com (Andrejczuk, Grzegorz) Date: Mon, 2 May 2016 08:33:35 +0000 Subject: [refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc In-Reply-To: <0e3757b0-288f-c65a-73a3-db39c203c5c3@gmail.com> References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com> <1461770515-13153-1-git-send-email-grzegorz.andrejczuk@intel.com> <2d0095f1-84c0-35dc-5258-61445dc7653e@gmail.com> <0e3757b0-288f-c65a-73a3-db39c203c5c3@gmail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >On 04/28/2016 10:24 AM, Andrejczuk, Grzegorz wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>> >>> On 04/27/2016 05:21 PM, gandrejc wrote: >>>> The Portable Hardware Locality (hwloc) software package provides a >>>> portable abstraction (across OS, versions, architectures, ...) of >>> the hierarchical topology of modern architectures, including NUMA >>>> memory nodes, sockets, shared caches, cores and simultaneous >>>> multithreading. It also gathers various system attributes such as >>>> cache and memory information as well as the locality of I/O devices >>>> such as network interfaces, InfiniBand HCAs or GPUs. >>> >> >>> grzegorz, I imagine that by now you may be a little confused by this >>> discussion. Therefore I am willing to create a new patch with some of >>> the considerations mentioned > in this threat applied. >> >>> I would need some information though that i cannot find myself. >>> Your policy implies that hwloc-dhwd can be run as a system service. >>> However the system service > > > > initscript and/or service unit is >>> not taken into consideration. what is the exact location of this >>> script? Once I know that , then i can redo the patch with that part >>> taken into account and hopefully take away the remaining concerns. >> >> We support system only, unit file is hwloc-dump-hwdata.service is >> installed to default systemd unit location (on RedHat >> /usr/lib/systemd/system). The unit file looks like this: [Unit] >> Description=Dump hardware topology and locality information to >> /var/run/hwloc >> >> [Service] Type=oneshot RemainAfterExit=yes >> ExecStart=/usr/sbin/hwloc-dump-hwdata -o /var/run/hwloc >> ExecStop=/usr/bin/rm -rf /var/run/hwloc >> > >Okay, thanks. I will see if i can whip another patch up today. > >By the way that ExecStop= is generally not such a good idea. Is that really required? Does it not just overwrite the files in there when you restart the service? > >systemd will usually run generic coreutils like rm with a domain transition to the initrc_t domain. That means that initrc_t would need to be able to rm /var/run/hwloc. >This is sub-optimal. > >Its bad enough that ExecStop is often used for kill $MAINPID with system d. I pushed the change with removing of the ExecStop from service file to hwloc maintainer. It should be accepted as service truncates its files. I will keep you posted. > [Install] WantedBy=multi-user.target > > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 > > iQGcBAEBCAAGBQJXIRA6AAoJECV0jlU3+Udpm+gL/iXpQhK0Vknb9U5jyzCQ4FhH > nzOvD2yfZhgVHdNt+D//OZ45fcZsyGFy1V4JPUpS703csgCzYzbTyvKq6rF0Wc3O > TYZixv1WKx8l35SAN5nKvFBvv9b+WPcbxT4Rm6pzXUcH+TVJdi1inOpOqQ1dNF30 > rruZEBkkOwW2wLyHa/W2APDD0iBG5M9roBL5NjN54H215J3iugt2lh+aJIFXhClZ > JeMUTE10UAL2TvZiuNPmsDjmzsKfOZg0VrDuE4hYYlAvNz4CotZye/PX1izlZvVc > oPn0kaCHfLoRR9Z1UiR4nLH+lzawUOLsoiskofo2cARxRU6MYy2u7OYFWVopDx46 > +02/v7LgPVCHrBmJhLd4E5aBh2H2Y+QeomTHPYgg+uGOyW3oSEzoMubhciKOqGcZ > n58ZCYsFnQmBNC9IGd1yLfJN4V+SOPEYKxHT2k2bvabNQFeZ4MXLp0Xl1FzrsRaI > V9BrlYGOTQg5t5uBZmnWzDhs8KtTTJCoPEdbvDDAHA== =6m1E -----END PGP > SIGNATURE----- > -------------------------------------------------------------------- > > Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298 > Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy > Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital > zakladowy 200.000 PLN. > > Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego > adresata i moze zawierac informacje poufne. W razie przypadkowego > otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale > jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest > zabronione. This e-mail and any attachments may contain confidential > material for the sole use of the intended recipient(s). If you are not > the intended recipient, please contact the sender and delete all > copies; any review or distribution by others is strictly prohibited. > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJXIdAnAAoJECV0jlU3+UdpmHEL/ArdwLHT8BzWFn5dA+Y1025O y9cvZDsmlbS6+oI+8ZupQVSNZWj98n81L8X8hRcMtpf5hdIl5juXnY5+umwRigPd xaDEnD027hggzyrQHmvy6ZE6ecdQNc3sHYx7M0Jw4d/sQHTZNWFoB7fj363SHgZ2 76uK1qJZMCT6i+opFpocg3Fea5KaVGYG501xk/G6yTX7+qiYNdYPWsj7bovAxdxD tqd722IxEKYMwuVSvkIBZaHRxWfDKFlY5d5GzHA5S6JwN0AB4KyD6btcjB0U4Fhp fL7zK/X4UEGrYCwW8aYuDgNNz6aawjQFKF16oGxeqvodV6j6uekhk2h+SldpkD2w eyQVDaCrjzyjHTAhESav2uOGVkOrYk+I2metlVhiFIDNXZ7UFKFk1Y0gvmecm7jg EMMryZVNKpDkDpvI7cCmtW24gZl4ZT05o7SyVSgLuwKdB0EO3//Hpl+lV0MGOuWA CkVb2Mc9tX4ZlPMB9Pp4HIchEoerY6i4pF0LzqyHGg== =reqL -----END PGP SIGNATURE----- -------------------------------------------------------------------- Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN. Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione. This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.