Hi,
I recently raised a bug[1] that while using confined users / system
administrators iotop would not work. Normally, iotop only runs as root,
so reasonably, it shouldn't run as staff_t, but it should be able to run
while in sysadm_t.
Initially I have created the template with:
sepolicy generate --application /usr/sbin/iotop
I have build and installed this basic template for now, and of course as
predicted I'm still having some issues with denials.
Am I on the right track to setup iotop with a iotop_t policy so that it
can access the kernel resources it needs when a user with sysadm_t calls
it? Given the messages I am seeing now are as follows:
type=AVC msg=audit(1381226118.448:6322): avc: denied { create } for
pid=19326 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
I assume that sysadm_t is not allowed to transition to iotop_t. What is
the right way to write this into my te file? I note that in the selinux
reference policy there are a number of calls to:
optional_policy(`
uml_role(sysadm_r, sysadm_t)
')
What is the function of the <domain>_role() call, and is this what I
should be using (I have iotop_role in my if)
Following that, what is the correct way to allow the sysadm_t to execute
this, but not staff_t etc?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=10163
--
Sincerely,
William Brown
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
