libcap-ng used by "/usr/sbin/irqbalance" failed due to not having CAP_SETPCAP in capng_apply

[jpmv27]

Follow-up to #182 and #328.

This fix results in AVC errors from SELinux:
SELinux is preventing /usr/sbin/irqbalance from setpcap access on the cap_userns labeled irqbalance_t

Manually applying 43751df and efab272 also eliminates the message, but also results in the same SELinux AVC error.

I don't have enough expertise with SELinux to suggest a fix

[nhorman]

what do your audit logs say about the problem:

ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent

[jpmv27]

time->Tue Dec  3 13:27:33 2024
type=PROCTITLE msg=audit(1733250453.504:3733): proctitle="/usr/sbin/irqbalance"
type=SYSCALL msg=audit(1733250453.504:3733): arch=c000003e syscall=157 success=yes exit=0 a0=18 a1=0 a2=0 a3=0 items=0 ppid=1 pid=94083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="irqbalance" exe="/usr/sbin/irqbalance" subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(1733250453.504:3733): avc:  denied  { setpcap } for  pid=94083 comm="irqbalance" capability=8  scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=cap_userns permissive=1

[nhorman]

so, it looks like you built irqbalance with capng support, and selinux is telling you that, with your current selinux labeling, that the user running the binary doesn't have permissions to call setpcap from the libcap library.

You have two choices for fixing this:

1. Modify your selinux policy to allow it. You can do this with the audit2allow command to generate a policy file that allows this operation, and then use semodule to insert the new policy into your systems policy database
   or
2. Let another application handle capabilities for you. You can build irqbalance without capng support, so the call will never be made

Given that your initial post referenced changes to the service file, I'm guessing you're using systemd, which can/will handle capabilities for you, and your selinux policy is likely set to already allow that. My recommendation would be to follow path (2)

[jpmv27]

Thanks for the quick response.
I should've mentioned that this is on RHEL 9.5, I didn't personally build any of this.
It sounds like they need to apply your suggestion (2).

[nhorman]

but you said in your initial post:

Manually applying 43751df and efab272 also eliminates the message, but also results in the same SELinux AVC error.

so I assume you are rebuilding irqbalance yourself?

Either way, if RedHat is building irqbalance with capng support and not adjusting their policy to match its needs, yes, thats on them to fix, by either fixing their irqbalance build, or by publishing the right irqbalance policy

[jpmv27]

Those are changes to the systemd service file, so no rebuild was necessary, just systemctl edit.