iotop policy development advice

William Brown william at firstyear.id.au
Thu Oct 10 22:30:15 UTC 2013 

> > > 
> > Me thinks you need auth_use_nsswitch()  Looks like your code is calling
> > getpw()  Which is causing some of these access.  auth_use_nsswitch will make
> > you handle all forms of authorization.
> 
> yes, but
> 
> It doesnt need any authentication though, and also many other hallmarks
> of nsswitch are not there for example reading network config or do dns
> resolving, or creating tcp/udp sockets

I believe it's for resolving the UID/GID to usernames/group names in the
display. Either way, I have taken your advice, and replaced the passwd /
sssd parts with this and it works correctly. 

> 
> not sure why it needs to create netlink route sockets ( i am assuming
> that in some scenario it might need to read the routing table, but
> against my own advise i made assumptions
> 
> this actually a really simple app, the only thing that i wonder about
> are the details about the net_admin and netlink_route_socket. I thought
> it might have been for iscsi scenarios but thats just assumption

Again, this may have been one of my mistakes. I have removed that line
and it still worked. To eliminate this, I went through and check that
each line of the policy now when removed causes a denial, which it does.
Here is the "minimised" policy.

-- 
Sincerely,

William Brown

http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A

-------------- next part --------------
policy_module(iotop, 1.0.0)

########################################
#
# Declarations
#
attribute_role iotop_roles;
roleattribute system_r iotop_roles;

type iotop_t;
type iotop_exec_t;
application_domain(iotop_t, iotop_exec_t)

role iotop_roles types iotop_t;

#permissive iotop_t;

########################################
#
# iotop local policy
#

allow iotop_t self:capability net_admin;
allow iotop_t self:netlink_socket r_netlink_socket_perms;

kernel_read_system_state(iotop_t)
dev_read_urand(iotop_t)
domain_getsched_all_domains(iotop_t)
domain_read_all_domains_state(iotop_t)

auth_use_nsswitch(iotop_t)
corecmd_exec_bin(iotop_t)
miscfiles_read_localization(iotop_t)
userdom_use_user_terminals(iotop_t)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 876 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20131011/0e7aa85d/attachment.sig>

More information about the selinux mailing list