On 04/16/2015 08:43 AM, William wrote:
Hi,
I am trying to run iotop as sysadm_t
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
This triggers a number of AVC's
I figured that perhaps sysadm_t isn't allowed access to the iotop
domain. So I had a look and found in sysadm.te where this should go,
such as:
optional_policy(`
iotop_run(sysadm_t, sysadm_r)
')
Yes, this is correct way how to make it working.
I'm getting a number of denials such as:
type=SYSCALL msg=audit(1429158621.683:1391): arch=c000003e syscall=41
success=yes exit=7 a0=10 a1=3 a2=10 a3=3 items=0 ppid=19850 pid=3617
auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1429158621.684:1392): avc: denied { setopt } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.684:1392): arch=c000003e syscall=54
success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff1f3acb7c items=0 ppid=19850
pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1429158621.684:1393): avc: denied { bind } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.684:1393): arch=c000003e syscall=49
success=yes exit=0 a0=7 a1=7fff1f3ac9d0 a2=c a3=7fff1f3aca00 items=0
ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop"
exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1429158621.684:1394): avc: denied { getattr } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.684:1394): arch=c000003e syscall=51
success=yes exit=0 a0=7 a1=7fff1f3ac9c0 a2=7fff1f3ac9bc a3=7fff1f3aca00
items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop"
exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1429158621.687:1395): avc: denied { write } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.687:1395): arch=c000003e syscall=44
success=yes exit=36 a0=3 a1=7fae4ac392d4 a2=24 a3=0 items=0 ppid=19850
pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1429158621.687:1396): avc: denied { read } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.687:1396): arch=c000003e syscall=45
success=yes exit=112 a0=3 a1=1369764 a2=4000 a3=0 items=0 ppid=19850
pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
^C
If we focus on one of them:
type=AVC msg=audit(1429158621.684:1394): avc: denied { getattr } for
pid=3617
comm="iotop"
scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tclass=netlink_socket
permissive=1
However, this should be allowed as:
sesearch -A -s iotop_t
allow iotop_t iotop_t : netlink_route_socket { ioctl read write
create getattr setattr lock append bind connect getopt setopt shutdown
nlmsg_read } ;
I think that i'm missing something related to the sysadm_r roles. What's
the correct way to edit the policy to allow sysadm_r to run iotop_t
correctly? Tips would be appreciated.
Sincerely,
It's about netlink_socket against netlink_route_socket. You need to also add
allow iotop_t self:netlink_socket create_socket_perms;
I added it to Fedora.
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.