> >
> > >
> > > You can remove the iotop_role(): its pretty useless.
> >
> > Do you mean this line?
> >
> > role iotop_roles types
> > iotop_t;
> >
>
> no i mean this ( from the iotop.if file ):
>
> ########################################
> ## <summary>
> ## Role allowed to access and manage processes in the iotop domain.
> ## </summary>
> ## <param name="role">
> ## <summary>
> ## Role allowed access to iotop
> ## </summary>
> ## </param>
> ## <param name="domain">
> ## <summary>
> ## User domain for the role
> ## </summary>
> ## </param>
> #
> interface(`iotop_role',`
> gen_require(`
> type iotop_t;
> attribute_role iotop_roles;
> ')
>
> roleattribute $1 iotop_roles;
>
> iotop_domtrans($2)
>
> ps_process_pattern($2, iotop_t)
> allow $2 iotop_t:process { signull signal sigkill };
> ')
>
OHHHH I see. I have removed it now.
>
> ok, earlier you showed me this, but yes f you cannot reproduce then
> ignore it for now:
>
> allow iotop_t random_device_t:chr_file read;
>
Yep. Perhaps another one of my mistakes from my permissive / not
permissive issue? Anyway, I tested that I certainly need the urandom
rule by removing it to see if I get avc's : Which I do, so I have left
it in the te.
--
Sincerely,
William Brown
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A
policy_module(iotop, 1.0.0)
########################################
#
# Declarations
#
attribute_role iotop_roles;
roleattribute system_r iotop_roles;
type iotop_t;
type iotop_exec_t;
application_domain(iotop_t, iotop_exec_t)
role iotop_roles types iotop_t;
#permissive iotop_t;
########################################
#
# iotop local policy
#
allow iotop_t self:capability net_admin;
allow iotop_t self:netlink_route_socket r_netlink_socket_perms;
allow iotop_t self:netlink_socket create_socket_perms;
allow iotop_t self:unix_dgram_socket create_socket_perms;
kernel_read_system_state(iotop_t)
dev_read_urand(iotop_t)
domain_getsched_all_domains(iotop_t)
domain_read_all_domains_state(iotop_t)
auth_read_passwd(iotop_t)
corecmd_exec_bin(iotop_t)
miscfiles_read_localization(iotop_t)
userdom_use_user_terminals(iotop_t)
optional_policy(`
sssd_read_public_files(iotop_t)
')
## <summary>Simple top-like I/O monitor</summary> ######################################## ## <summary> ## Allow execution of iotop in the iotop domain from the target domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition to iotop. ## </summary> ## </param> # interface(`iotop_domtrans',` gen_require(` type iotop_t, iotop_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, iotop_exec_t, iotop_t) ') ######################################## ## <summary> ## Execute iotop in the iotop domain, and ## allow the specified role to access the iotop domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed into the iotop domain. ## </summary> ## </param> # interface(`iotop_run',` gen_require(` type iotop_t; attribute_role iotop_roles; ') iotop_domtrans($1) roleattribute $2 iotop_roles; ')
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
