Running iotop as sysadm_r

William william at firstyear.id.au
Thu Apr 16 06:43:43 UTC 2015 

Hi,

I am trying to run iotop as sysadm_t

staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

This triggers a number of AVC's

I figured that perhaps sysadm_t isn't allowed access to the iotop
domain. So I had a look and found in sysadm.te where this should go,
such as:

optional_policy(`
        iotop_run(sysadm_t, sysadm_r)
')

I'm getting a number of denials such as:


type=SYSCALL msg=audit(1429158621.683:1391): arch=c000003e syscall=41
success=yes exit=7 a0=10 a1=3 a2=10 a3=3 items=0 ppid=19850 pid=3617
auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1429158621.684:1392): avc:  denied  { setopt } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.684:1392): arch=c000003e syscall=54
success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff1f3acb7c items=0 ppid=19850
pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1429158621.684:1393): avc:  denied  { bind } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.684:1393): arch=c000003e syscall=49
success=yes exit=0 a0=7 a1=7fff1f3ac9d0 a2=c a3=7fff1f3aca00 items=0
ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop"
exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1429158621.684:1394): avc:  denied  { getattr } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.684:1394): arch=c000003e syscall=51
success=yes exit=0 a0=7 a1=7fff1f3ac9c0 a2=7fff1f3ac9bc a3=7fff1f3aca00
items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop"
exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1429158621.687:1395): avc:  denied  { write } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.687:1395): arch=c000003e syscall=44
success=yes exit=36 a0=3 a1=7fae4ac392d4 a2=24 a3=0 items=0 ppid=19850
pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1429158621.687:1396): avc:  denied  { read } for
pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
permissive=1
type=SYSCALL msg=audit(1429158621.687:1396): arch=c000003e syscall=45
success=yes exit=112 a0=3 a1=1369764 a2=4000 a3=0 items=0 ppid=19850
pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
^C

If we focus on one of them:

type=AVC msg=audit(1429158621.684:1394): avc:  denied  { getattr } for
pid=3617 
comm="iotop" 
scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 
tclass=netlink_socket 
permissive=1


However, this should be allowed as:

sesearch -A -s iotop_t 

   allow iotop_t iotop_t : netlink_route_socket { ioctl read write
create getattr setattr lock append bind connect getopt setopt shutdown
nlmsg_read } ; 

I think that i'm missing something related to the sysadm_r roles. What's
the correct way to edit the policy to allow sysadm_r to run iotop_t
correctly? Tips would be appreciated.

Sincerely,

-- 
William <william at firstyear.id.au>

More information about the selinux mailing list