iotop policy development advice
Dominick Grift
dominick.grift at gmail.com
Wed Oct 9 07:17:33 UTC 2013
On Wed, 2013-10-09 at 08:04 +1030, William Brown wrote:
> > >
> > > > I made a 30 minute demonstration about creating policy for iotop (on
> > > > rhel6) : https://www.youtube.com/watch?v=WcF9QkqLcKs
> > > >
> > >
> > > Fantastic. Thanks for your combined emails. It has revealed a lot to me.
> > > I'll watch your video, and will create a similar policy for iotop on
> > > Fedora. If you don't mind, I'll post it here for review once I'm done.
> > >
> >
> > sure, you can post it but if the policy looks like the one i created in
> > my video then its ok
> >
>
> Well hopefully it does. I'm not aiming to copy your policy directly, as
> I want to learn the steps so I can write these for myself.
>
> I have already run into one issue. I have created an iotop module and
> iotop_sysadm module, but once loaded I see a number of errors in
> ausearch like:
>
> libsepol.sepol_context_to_sid: could not convert
> staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 to sid
> libsepol.context_from_record: invalid security context:
> "staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023"
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
>
>
> My research shows this is when you forget the "s0" on a file context,
> but this isn't the case here.
>
> I've attached my policy that I have partially written at this point, and
> any advice would be appreciated on this.
>
It might be related to the roleattribute stuff did you try it like i did
in my example by commenting the roleattribute/attribute_role stuff out
and using the old was of assoviating the sysadm_r role to iotop_t?
is sysadm_r associotated to staff_u? is the full mcs range associated to
staff_u and to your linux uid/gid?
More information about the selinux
mailing list