> > > > > I made a 30 minute demonstration about creating policy for iotop (on > > > rhel6) : https://www.youtube.com/watch?v=WcF9QkqLcKs > > > > > > > Fantastic. Thanks for your combined emails. It has revealed a lot to me. > > I'll watch your video, and will create a similar policy for iotop on > > Fedora. If you don't mind, I'll post it here for review once I'm done. > > > > sure, you can post it but if the policy looks like the one i created in > my video then its ok > Well hopefully it does. I'm not aiming to copy your policy directly, as I want to learn the steps so I can write these for myself. I have already run into one issue. I have created an iotop module and iotop_sysadm module, but once loaded I see a number of errors in ausearch like: libsepol.sepol_context_to_sid: could not convert staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 to sid libsepol.context_from_record: invalid security context: "staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure My research shows this is when you forget the "s0" on a file context, but this isn't the case here. I've attached my policy that I have partially written at this point, and any advice would be appreciated on this. -- Sincerely, William Brown http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A
/usr/sbin/iotop -- gen_context(system_u:object_r:iotop_exec_t,s0)
## <summary>Simple top-like I/O monitor</summary>
########################################
## <summary>
## Execute TEMPLATE in the iotop domin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`iotop_domtrans',`
gen_require(`
type iotop_t, iotop_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, iotop_exec_t, iotop_t)
')
########################################
## <summary>
## Execute iotop in the iotop domain, and
## allow the specified role the iotop domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the iotop domain.
## </summary>
## </param>
#
interface(`iotop_run',`
gen_require(`
type iotop_t;
attribute_role iotop_roles;
')
iotop_domtrans($1)
roleattribute $2 iotop_roles;
')
########################################
## <summary>
## Role access for iotop
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`iotop_role',`
gen_require(`
type iotop_t;
attribute_role iotop_roles;
')
roleattribute $1 iotop_roles;
iotop_domtrans($2)
ps_process_pattern($2, iotop_t)
allow $2 iotop_t:process { signull signal sigkill };
')
policy_module(iotop, 1.0.0) ######################################## # # Declarations # attribute_role iotop_roles; roleattribute system_r iotop_roles; type iotop_t; type iotop_exec_t; application_domain(iotop_t, iotop_exec_t) permissive iotop_t; ######################################## # # iotop local policy # #allow iotop_t self:fifo_file manage_fifo_file_perms; #allow iotop_t self:unix_stream_socket create_stream_socket_perms; #domain_use_interactive_fds(iotop_t) #files_read_etc_files(iotop_t) miscfiles_read_localization(iotop_t)
policy_module(iotop_sysadm, 1.0.0)
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
')
iotop_run(sysadm_t, sysadm_r)
')
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
