Re: iotop policy development advice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > 
> > > I made a 30 minute demonstration about creating policy for iotop (on
> > > rhel6) : https://www.youtube.com/watch?v=WcF9QkqLcKs
> > > 
> > 
> > Fantastic. Thanks for your combined emails. It has revealed a lot to me.
> > I'll watch your video, and will create a similar policy for iotop on
> > Fedora. If you don't mind, I'll post it here for review once I'm done.
> > 
> 
> sure, you can post it but if the policy looks like the one i created in
> my video then its ok
> 

Well hopefully it does. I'm not aiming to copy your policy directly, as
I want to learn the steps so I can write these for myself.

I have already run into one issue. I have created an iotop module and
iotop_sysadm module, but once loaded I see a number of errors in
ausearch like:

libsepol.sepol_context_to_sid: could not convert
staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 to sid
libsepol.context_from_record: invalid security context:
"staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure


My research shows this is when you forget the "s0" on a file context,
but this isn't the case here. 

I've attached my policy that I have partially written at this point, and
any advice would be appreciated on this.


-- 
Sincerely,

William Brown

http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A

/usr/sbin/iotop		--	gen_context(system_u:object_r:iotop_exec_t,s0)
## <summary>Simple top-like I/O monitor</summary>

########################################
## <summary>
##	Execute TEMPLATE in the iotop domin.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`iotop_domtrans',`
	gen_require(`
		type iotop_t, iotop_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, iotop_exec_t, iotop_t)
')

########################################
## <summary>
##	Execute iotop in the iotop domain, and
##	allow the specified role the iotop domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the iotop domain.
##	</summary>
## </param>
#
interface(`iotop_run',`
	gen_require(`
		type iotop_t;
		attribute_role iotop_roles;
	')

	iotop_domtrans($1)
	roleattribute $2 iotop_roles;
')

########################################
## <summary>
##	Role access for iotop
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`iotop_role',`
	gen_require(`
		type iotop_t;
		attribute_role iotop_roles;
	')

	roleattribute $1 iotop_roles;

	iotop_domtrans($2)

	ps_process_pattern($2, iotop_t)
	allow $2 iotop_t:process { signull signal sigkill };
')
policy_module(iotop, 1.0.0)

########################################
#
# Declarations
#

attribute_role iotop_roles;
roleattribute system_r iotop_roles;

type iotop_t;
type iotop_exec_t;
application_domain(iotop_t, iotop_exec_t)

permissive iotop_t;

########################################
#
# iotop local policy
#

#allow iotop_t self:fifo_file manage_fifo_file_perms;
#allow iotop_t self:unix_stream_socket create_stream_socket_perms;

#domain_use_interactive_fds(iotop_t)

#files_read_etc_files(iotop_t)

miscfiles_read_localization(iotop_t)

policy_module(iotop_sysadm, 1.0.0)

optional_policy(`
    gen_require(`
        type sysadm_t;
        role sysadm_r;
    ')
    iotop_run(sysadm_t, sysadm_r) 
')

Attachment: signature.asc
Description: This is a digitally signed message part

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux