Hi,
I am trying to run iotop as sysadm_t
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
This triggers a number of AVC's
I figured that perhaps sysadm_t isn't allowed access to the iotop domain. So I had a look and found in sysadm.te where this should go, such as:
optional_policy(` iotop_run(sysadm_t, sysadm_r) ')
I'm getting a number of denials such as:
type=SYSCALL msg=audit(1429158621.683:1391): arch=c000003e syscall=41 success=yes exit=7 a0=10 a1=3 a2=10 a3=3 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.684:1392): avc: denied { setopt } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.684:1392): arch=c000003e syscall=54 success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff1f3acb7c items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.684:1393): avc: denied { bind } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.684:1393): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fff1f3ac9d0 a2=c a3=7fff1f3aca00 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.684:1394): avc: denied { getattr } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.684:1394): arch=c000003e syscall=51 success=yes exit=0 a0=7 a1=7fff1f3ac9c0 a2=7fff1f3ac9bc a3=7fff1f3aca00 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.687:1395): avc: denied { write } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.687:1395): arch=c000003e syscall=44 success=yes exit=36 a0=3 a1=7fae4ac392d4 a2=24 a3=0 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.687:1396): avc: denied { read } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.687:1396): arch=c000003e syscall=45 success=yes exit=112 a0=3 a1=1369764 a2=4000 a3=0 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) ^C
If we focus on one of them:
type=AVC msg=audit(1429158621.684:1394): avc: denied { getattr } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1
However, this should be allowed as:
sesearch -A -s iotop_t
allow iotop_t iotop_t : netlink_route_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;
I think that i'm missing something related to the sysadm_r roles. What's the correct way to edit the policy to allow sysadm_r to run iotop_t correctly? Tips would be appreciated.
Sincerely,
On 04/16/2015 08:43 AM, William wrote:
Hi,
I am trying to run iotop as sysadm_t
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
This triggers a number of AVC's
I figured that perhaps sysadm_t isn't allowed access to the iotop domain. So I had a look and found in sysadm.te where this should go, such as:
optional_policy(` iotop_run(sysadm_t, sysadm_r) ')
Yes, this is correct way how to make it working.
I'm getting a number of denials such as:
type=SYSCALL msg=audit(1429158621.683:1391): arch=c000003e syscall=41 success=yes exit=7 a0=10 a1=3 a2=10 a3=3 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.684:1392): avc: denied { setopt } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.684:1392): arch=c000003e syscall=54 success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff1f3acb7c items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.684:1393): avc: denied { bind } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.684:1393): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fff1f3ac9d0 a2=c a3=7fff1f3aca00 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.684:1394): avc: denied { getattr } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.684:1394): arch=c000003e syscall=51 success=yes exit=0 a0=7 a1=7fff1f3ac9c0 a2=7fff1f3ac9bc a3=7fff1f3aca00 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.687:1395): avc: denied { write } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.687:1395): arch=c000003e syscall=44 success=yes exit=36 a0=3 a1=7fae4ac392d4 a2=24 a3=0 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1429158621.687:1396): avc: denied { read } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1429158621.687:1396): arch=c000003e syscall=45 success=yes exit=112 a0=3 a1=1369764 a2=4000 a3=0 items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null) ^C
If we focus on one of them:
type=AVC msg=audit(1429158621.684:1394): avc: denied { getattr } for pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1
However, this should be allowed as:
sesearch -A -s iotop_t
allow iotop_t iotop_t : netlink_route_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;
I think that i'm missing something related to the sysadm_r roles. What's the correct way to edit the policy to allow sysadm_r to run iotop_t correctly? Tips would be appreciated.
Sincerely,
It's about netlink_socket against netlink_route_socket. You need to also add
allow iotop_t self:netlink_socket create_socket_perms;
I added it to Fedora.
optional_policy(` iotop_run(sysadm_t, sysadm_r) ')
Yes, this is correct way how to make it working.
I think that i'm missing something related to the sysadm_r roles. What's the correct way to edit the policy to allow sysadm_r to run iotop_t correctly? Tips would be appreciated.
It's about netlink_socket against netlink_route_socket. You need to also add
allow iotop_t self:netlink_socket create_socket_perms;
I added it to Fedora.
Thanks for looking into this. What's the commit link so I can have a look at what you added?
On 04/20/2015 01:21 AM, William wrote:
optional_policy(` iotop_run(sysadm_t, sysadm_r) ')
Yes, this is correct way how to make it working.
I think that i'm missing something related to the sysadm_r roles. What's the correct way to edit the policy to allow sysadm_r to run iotop_t correctly? Tips would be appreciated.
It's about netlink_socket against netlink_route_socket. You need to also add
allow iotop_t self:netlink_socket create_socket_perms;
I added it to Fedora.
Thanks for looking into this. What's the commit link so I can have a look at what you added?
https://github.com/fedora-selinux/selinux-policy/commit/fb187f901807bd02246d...
selinux@lists.fedoraproject.org