> > > > > Me thinks you need auth_use_nsswitch() Looks like your code is calling > > getpw() Which is causing some of these access. auth_use_nsswitch will make > > you handle all forms of authorization. > > yes, but > > It doesnt need any authentication though, and also many other hallmarks > of nsswitch are not there for example reading network config or do dns > resolving, or creating tcp/udp sockets I believe it's for resolving the UID/GID to usernames/group names in the display. Either way, I have taken your advice, and replaced the passwd / sssd parts with this and it works correctly. > > not sure why it needs to create netlink route sockets ( i am assuming > that in some scenario it might need to read the routing table, but > against my own advise i made assumptions > > this actually a really simple app, the only thing that i wonder about > are the details about the net_admin and netlink_route_socket. I thought > it might have been for iscsi scenarios but thats just assumption Again, this may have been one of my mistakes. I have removed that line and it still worked. To eliminate this, I went through and check that each line of the policy now when removed causes a denial, which it does. Here is the "minimised" policy. -- Sincerely, William Brown http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xEFC416D781A8099A
policy_module(iotop, 1.0.0) ######################################## # # Declarations # attribute_role iotop_roles; roleattribute system_r iotop_roles; type iotop_t; type iotop_exec_t; application_domain(iotop_t, iotop_exec_t) role iotop_roles types iotop_t; #permissive iotop_t; ######################################## # # iotop local policy # allow iotop_t self:capability net_admin; allow iotop_t self:netlink_socket r_netlink_socket_perms; kernel_read_system_state(iotop_t) dev_read_urand(iotop_t) domain_getsched_all_domains(iotop_t) domain_read_all_domains_state(iotop_t) auth_use_nsswitch(iotop_t) corecmd_exec_bin(iotop_t) miscfiles_read_localization(iotop_t) userdom_use_user_terminals(iotop_t)
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
