iotop policy development advice
William Brown
william at firstyear.id.au
Thu Oct 10 22:30:15 UTC 2013
> > >
> > Me thinks you need auth_use_nsswitch() Looks like your code is calling
> > getpw() Which is causing some of these access. auth_use_nsswitch will make
> > you handle all forms of authorization.
>
> yes, but
>
> It doesnt need any authentication though, and also many other hallmarks
> of nsswitch are not there for example reading network config or do dns
> resolving, or creating tcp/udp sockets
I believe it's for resolving the UID/GID to usernames/group names in the
display. Either way, I have taken your advice, and replaced the passwd /
sssd parts with this and it works correctly.
>
> not sure why it needs to create netlink route sockets ( i am assuming
> that in some scenario it might need to read the routing table, but
> against my own advise i made assumptions
>
> this actually a really simple app, the only thing that i wonder about
> are the details about the net_admin and netlink_route_socket. I thought
> it might have been for iscsi scenarios but thats just assumption
Again, this may have been one of my mistakes. I have removed that line
and it still worked. To eliminate this, I went through and check that
each line of the policy now when removed causes a denial, which it does.
Here is the "minimised" policy.
--
Sincerely,
William Brown
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A
-------------- next part --------------
policy_module(iotop, 1.0.0)
########################################
#
# Declarations
#
attribute_role iotop_roles;
roleattribute system_r iotop_roles;
type iotop_t;
type iotop_exec_t;
application_domain(iotop_t, iotop_exec_t)
role iotop_roles types iotop_t;
#permissive iotop_t;
########################################
#
# iotop local policy
#
allow iotop_t self:capability net_admin;
allow iotop_t self:netlink_socket r_netlink_socket_perms;
kernel_read_system_state(iotop_t)
dev_read_urand(iotop_t)
domain_getsched_all_domains(iotop_t)
domain_read_all_domains_state(iotop_t)
auth_use_nsswitch(iotop_t)
corecmd_exec_bin(iotop_t)
miscfiles_read_localization(iotop_t)
userdom_use_user_terminals(iotop_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 876 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20131011/0e7aa85d/attachment.sig>
More information about the selinux
mailing list