Re: Running iotop as sysadm_r

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/16/2015 08:43 AM, William wrote:
> Hi,
> 
> I am trying to run iotop as sysadm_t
> 
> staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
> 
> This triggers a number of AVC's
> 
> I figured that perhaps sysadm_t isn't allowed access to the iotop
> domain. So I had a look and found in sysadm.te where this should go,
> such as:
> 
> optional_policy(`
>         iotop_run(sysadm_t, sysadm_r)
> ')
Yes, this is correct way how to make it working.
> 
> I'm getting a number of denials such as:
> 
> 
> type=SYSCALL msg=audit(1429158621.683:1391): arch=c000003e syscall=41
> success=yes exit=7 a0=10 a1=3 a2=10 a3=3 items=0 ppid=19850 pid=3617
> auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
> subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1429158621.684:1392): avc:  denied  { setopt } for
> pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
> permissive=1
> type=SYSCALL msg=audit(1429158621.684:1392): arch=c000003e syscall=54
> success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff1f3acb7c items=0 ppid=19850
> pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
> subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1429158621.684:1393): avc:  denied  { bind } for
> pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
> permissive=1
> type=SYSCALL msg=audit(1429158621.684:1393): arch=c000003e syscall=49
> success=yes exit=0 a0=7 a1=7fff1f3ac9d0 a2=c a3=7fff1f3aca00 items=0
> ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop"
> exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> key=(null)
> type=AVC msg=audit(1429158621.684:1394): avc:  denied  { getattr } for
> pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
> permissive=1
> type=SYSCALL msg=audit(1429158621.684:1394): arch=c000003e syscall=51
> success=yes exit=0 a0=7 a1=7fff1f3ac9c0 a2=7fff1f3ac9bc a3=7fff1f3aca00
> items=0 ppid=19850 pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iotop"
> exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> key=(null)
> type=AVC msg=audit(1429158621.687:1395): avc:  denied  { write } for
> pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
> permissive=1
> type=SYSCALL msg=audit(1429158621.687:1395): arch=c000003e syscall=44
> success=yes exit=36 a0=3 a1=7fae4ac392d4 a2=24 a3=0 items=0 ppid=19850
> pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
> subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1429158621.687:1396): avc:  denied  { read } for
> pid=3617 comm="iotop" scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 tclass=netlink_socket
> permissive=1
> type=SYSCALL msg=audit(1429158621.687:1396): arch=c000003e syscall=45
> success=yes exit=112 a0=3 a1=1369764 a2=4000 a3=0 items=0 ppid=19850
> pid=3617 auid=1176360 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts1 ses=1 comm="iotop" exe="/usr/bin/python2.7"
> subj=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 key=(null)
> ^C
> 
> If we focus on one of them:
> 
> type=AVC msg=audit(1429158621.684:1394): avc:  denied  { getattr } for
> pid=3617 
> comm="iotop" 
> scontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023
> tcontext=staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 
> tclass=netlink_socket 
> permissive=1
> 
> 
> However, this should be allowed as:
> 
> sesearch -A -s iotop_t 
> 
>    allow iotop_t iotop_t : netlink_route_socket { ioctl read write
> create getattr setattr lock append bind connect getopt setopt shutdown
> nlmsg_read } ; 
> 
> I think that i'm missing something related to the sysadm_r roles. What's
> the correct way to edit the policy to allow sysadm_r to run iotop_t
> correctly? Tips would be appreciated.
> 
> Sincerely,
> 
It's about netlink_socket against netlink_route_socket. You need to also add

allow iotop_t self:netlink_socket create_socket_perms;

I added it to Fedora.


-- 
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux