1016332 – sysadm_r cannot use iotop

Bug 1016332 - sysadm_r cannot use iotop

Summary: sysadm_r cannot use iotop

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-08 00:22 UTC by William Brown
Modified:	2015-03-10 02:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.13.1-116.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-10 02:58:40 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
SELinux policy for iotop (67 bytes, text/plain) 2013-10-10 14:21 UTC, William Brown	no flags	Details
SELinux policy for iotop te (890 bytes, text/plain) 2013-10-10 14:22 UTC, William Brown	no flags	Details
SELinux policy for iotop if (971 bytes, text/plain) 2013-10-10 14:22 UTC, William Brown	no flags	Details
SELinux policy for iotop te (715 bytes, text/plain) 2013-10-11 13:24 UTC, William Brown	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Description William Brown 2013-10-08 00:22:50 UTC

Description of problem:
iotop is a system administration utility to monitor IO on a system. When running with sysadm_r, it does not operate. Enabling don't audit rules the following denials are listed.

type=AVC msg=audit(1381191349.793:2103): avc:  denied  { create } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.793:2103): arch=c000003e syscall=41 success=yes exit=7 a0=10 a1=3 a2=10 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.794:2104): avc:  denied  { setopt } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.794:2104): arch=c000003e syscall=54 success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff6b39f474 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.794:2105): avc:  denied  { bind } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.794:2105): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fff6b39f2a0 a2=c a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.799:2106): avc:  denied  { write } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.799:2106): arch=c000003e syscall=44 success=yes exit=36 a0=3 a1=7f98323881e4 a2=24 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.799:2107): avc:  denied  { read } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.799:2107): arch=c000003e syscall=45 success=yes exit=112 a0=3 a1=28b4ef4 a2=4000 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.976:2108): avc:  denied  { getsched } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1381191349.976:2108): arch=c000003e syscall=252 success=yes exit=4 a0=1 a1=800 a2=38c2bba780 a3=20 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.979:2109): avc:  denied  { getsched } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=process

audit2allow reveals the following rules:

#============= sysadm_t ==============
allow sysadm_t init_t:process getsched;

#!!!! This avc has a dontaudit rule in the current policy
allow sysadm_t self:netlink_socket { write bind create read setopt };
allow sysadm_t staff_t:process getsched;

Given this is the sysadm role, and you need to be root at this point, should this action be allowed? Or is iotop behaving in a manner that is not acceptable?

Comment 1 Daniel Walsh 2013-10-09 15:30:16 UTC

Were you working with Dominick Grift on policy for this?

Comment 2 William Brown 2013-10-09 20:17:15 UTC

Yes. When we have finished it, I'll post it here.

Comment 3 Miroslav Grepl 2013-10-10 13:12:07 UTC

Ok, thank you.

Comment 4 William Brown 2013-10-10 14:21:07 UTC

Created attachment 810546 [details]
SELinux policy for iotop

Comment 5 William Brown 2013-10-10 14:22:09 UTC

Created attachment 810547 [details]
SELinux policy for iotop te

Comment 6 William Brown 2013-10-10 14:22:47 UTC

Created attachment 810549 [details]
SELinux policy for iotop if

Comment 7 William Brown 2013-10-10 14:23:39 UTC

Attached te, if and fc files for iotop to run as sysadm_r. This has been reviewed on the SELinux mailing list, but I would like to hear other comments if you have them.

Comment 8 William Brown 2013-10-11 13:24:43 UTC

Created attachment 811096 [details]
SELinux policy for iotop te

This is a slightly updated version of the TE after another round of review.

Comment 9 Lukas Vrabec 2014-05-12 14:14:17 UTC

William I add your policy to rawhide.

Comment 10 Jaroslav Reznik 2015-03-03 17:10:17 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 11 Fedora Update System 2015-03-06 22:08:36 UTC

selinux-policy-3.13.1-116.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-116.fc22

Comment 12 Fedora Update System 2015-03-09 08:37:31 UTC

Package selinux-policy-3.13.1-116.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-116.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3508/selinux-policy-3.13.1-116.fc22
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2015-03-10 02:58:40 UTC

selinux-policy-3.13.1-116.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.