iotop policy development advice

Dominick Grift dominick.grift at gmail.com
Wed Oct 9 07:41:08 UTC 2013 

On Wed, 2013-10-09 at 08:04 +1030, William Brown wrote:
> > > 
> > > > I made a 30 minute demonstration about creating policy for iotop (on
> > > > rhel6) : https://www.youtube.com/watch?v=WcF9QkqLcKs
> > > > 
> > > 
> > > Fantastic. Thanks for your combined emails. It has revealed a lot to me.
> > > I'll watch your video, and will create a similar policy for iotop on
> > > Fedora. If you don't mind, I'll post it here for review once I'm done.
> > > 
> > 
> > sure, you can post it but if the policy looks like the one i created in
> > my video then its ok
> > 
> 
> Well hopefully it does. I'm not aiming to copy your policy directly, as
> I want to learn the steps so I can write these for myself.
> 
> I have already run into one issue. I have created an iotop module and
> iotop_sysadm module, but once loaded I see a number of errors in
> ausearch like:
> 
> libsepol.sepol_context_to_sid: could not convert
> staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 to sid
> libsepol.context_from_record: invalid security context:
> "staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023"
> libsepol.context_from_record: could not create context structure
> libsepol.context_from_string: could not create context structure
> 
> 

It says that the staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 content is
invalid. So you should check whether the combination of these security
identifiers is valid

you can use the seinfo , semanage and sesearch tools to determine that

to determine whether your uid/gid is associated to
staff_u/s0-s0:c0.c1023:

semanage login -l |grep myadm
myadm                     staff_u                   s0-s0:c0.c1023

to determine whether the staff_u sid is associated to the sysadm_r role
and range of s0-s0:c0.c1023:

semanage user -l | grep staff_u
staff_u         user       s0         s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r

to determine whether staff_r can manually change to sysadm_r:

sesearch --role_allow | grep "allow staff_r " | grep sysadm_r
   allow staff_r sysadm_r;

to determine whether the sysadm_r role is associated to the iotop_t
domain:

seinfo -xrsysadm_r | grep iotop
         iotop_t


to determine whether whether sysadm_t automatically domain transitions
to iotop_t when he runs a file with type iotop_exec_t:

sesearch -ASCT -s sysadm_t -t iotop_exec_t | grep type_transition
   type_transition sysadm_t iotop_exec_t : process iotop_t;

if all the above prerequisites are met then things should probably work
in the default fedora/rhel set up

> My research shows this is when you forget the "s0" on a file context,
> but this isn't the case here. 
> 
> I've attached my policy that I have partially written at this point, and
> any advice would be appreciated on this.
> 
>

More information about the selinux mailing list