Bug 1016332

Summary: sysadm_r cannot use iotop
Product: [Fedora] Fedora Reporter: William Brown <william>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-116.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-10 02:58:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux policy for iotop
none
SELinux policy for iotop te
none
SELinux policy for iotop if
none
SELinux policy for iotop te none

Description William Brown 2013-10-08 00:22:50 UTC 
Description of problem:
iotop is a system administration utility to monitor IO on a system. When running with sysadm_r, it does not operate. Enabling don't audit rules the following denials are listed.

type=AVC msg=audit(1381191349.793:2103): avc:  denied  { create } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.793:2103): arch=c000003e syscall=41 success=yes exit=7 a0=10 a1=3 a2=10 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.794:2104): avc:  denied  { setopt } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.794:2104): arch=c000003e syscall=54 success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff6b39f474 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.794:2105): avc:  denied  { bind } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.794:2105): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fff6b39f2a0 a2=c a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.799:2106): avc:  denied  { write } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.799:2106): arch=c000003e syscall=44 success=yes exit=36 a0=3 a1=7f98323881e4 a2=24 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.799:2107): avc:  denied  { read } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.799:2107): arch=c000003e syscall=45 success=yes exit=112 a0=3 a1=28b4ef4 a2=4000 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.976:2108): avc:  denied  { getsched } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1381191349.976:2108): arch=c000003e syscall=252 success=yes exit=4 a0=1 a1=800 a2=38c2bba780 a3=20 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.979:2109): avc:  denied  { getsched } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=process

audit2allow reveals the following rules:

#============= sysadm_t ==============
allow sysadm_t init_t:process getsched;

#!!!! This avc has a dontaudit rule in the current policy
allow sysadm_t self:netlink_socket { write bind create read setopt };
allow sysadm_t staff_t:process getsched;

Given this is the sysadm role, and you need to be root at this point, should this action be allowed? Or is iotop behaving in a manner that is not acceptable?
Comment 1 Daniel Walsh 2013-10-09 15:30:16 UTC 
Were you working with Dominick Grift on policy for this?
Comment 2 William Brown 2013-10-09 20:17:15 UTC 
Yes. When we have finished it, I'll post it here.
Comment 3 Miroslav Grepl 2013-10-10 13:12:07 UTC 
Ok, thank you.
Comment 4 William Brown 2013-10-10 14:21:07 UTC 
Created attachment 810546 [details]
SELinux policy for iotop
Comment 5 William Brown 2013-10-10 14:22:09 UTC 
Created attachment 810547 [details]
SELinux policy for iotop te
Comment 6 William Brown 2013-10-10 14:22:47 UTC 
Created attachment 810549 [details]
SELinux policy for iotop if
Comment 7 William Brown 2013-10-10 14:23:39 UTC 
Attached te, if and fc files for iotop to run as sysadm_r. This has been reviewed on the SELinux mailing list, but I would like to hear other comments if you have them.
Comment 8 William Brown 2013-10-11 13:24:43 UTC 
Created attachment 811096 [details]
SELinux policy for iotop te

This is a slightly updated version of the TE after another round of review.
Comment 9 Lukas Vrabec 2014-05-12 14:14:17 UTC 
William I add your policy to rawhide.
Comment 10 Jaroslav Reznik 2015-03-03 17:10:17 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 11 Fedora Update System 2015-03-06 22:08:36 UTC 
selinux-policy-3.13.1-116.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-116.fc22
Comment 12 Fedora Update System 2015-03-09 08:37:31 UTC 
Package selinux-policy-3.13.1-116.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-116.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3508/selinux-policy-3.13.1-116.fc22
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2015-03-10 02:58:40 UTC 
selinux-policy-3.13.1-116.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.