Re: iotop policy development advice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2013-10-08 at 14:13 +0200, Dominick Grift wrote:
> On Tue, 2013-10-08 at 20:30 +1030, William Brown wrote:
> > Hi,
> > 
> > I recently raised a bug[1] that while using confined users / system
> > administrators iotop would not work. Normally, iotop only runs as root,
> > so reasonably, it shouldn't run as staff_t, but it should be able to run
> > while in sysadm_t.
> > 
> > Initially I have created the template with:
> > 
> > sepolicy generate --application /usr/sbin/iotop
> > 
> > I have build and installed this basic template for now, and of course as
> > predicted I'm still having some issues with denials.
> > 
> > Am I on the right track to setup iotop with a iotop_t policy so that it
> > can access the kernel resources it needs when a user with sysadm_t calls
> > it? Given the messages I am seeing now are as follows:
> > 
> > type=AVC msg=audit(1381226118.448:6322): avc:  denied  { create } for
> > pid=19326 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
> > tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
> > 
> > I assume that sysadm_t is not allowed to transition to iotop_t. What is
> > the right way to write this into my te file? I note that in the selinux
> > reference policy there are a number of calls to:
> > 
> >         optional_policy(`
> >                 uml_role(sysadm_r, sysadm_t)
> >         ')
> > 
> > What is the function of the <domain>_role() call, and is this what I
> > should be using (I have iotop_role in my if)
> > 
> > Following that, what is the correct way to allow the sysadm_t to execute
> > this, but not staff_t etc?
> > 
> 
> The role templates are a bit of relic of the passed. They are templates
> that provide templated rules that allow the caller to run the program in
> the programs domain, and allow the callers role access to the programs
> domain.
> 
> Back in the day, we used to prefix home directories for separation using
> role prefixes. So instead of user_home_t for generic user home content
> you would have sysadm_home_t for generic home content of sysadm.
> 
> That concept was later dropped in favor of new security model called
> user based access control.
> 
> Anyways nowadays the role template are generally used when the to
> transition program domain creates content in the user home directory or
> if the program needs to be able to run generic shells/binaries in the
> calling user domain.
> 
> For iotop you could probably just create a iotop_run interface which
> takes care of the domain transition only and will allow the calling role
> access to the target domain. I do not believe iotop creates content in
> the user home directory, or that it runs shell, and other generic
> binaries on behalf of the calling process.
> 
> An example of how your iotop module might look like is the dmidecode
> module, and its call by sysadm: 
> 
> optional_policy(`
> 	dmidecode_run(sysadm_t, sysadm_r)
> ')
> 
> 

Well the explanation above is not quite accurate.

there are more factors ( such are long running process might be suitable
for role interfaces ), plus i there is a difference between role
interfaces and per role templates.

But iptop can probably be considered a short running process, so think a
a run interface is probably the best option

> > 
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=10163
> > 
> > 
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux