Bug 1016332 - sysadm_r cannot use iotop
sysadm_r cannot use iotop
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-07 20:22 EDT by William Brown
Modified: 2015-03-09 22:58 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-116.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-09 22:58:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux policy for iotop (67 bytes, text/plain)
2013-10-10 10:21 EDT, William Brown
no flags Details
SELinux policy for iotop te (890 bytes, text/plain)
2013-10-10 10:22 EDT, William Brown
no flags Details
SELinux policy for iotop if (971 bytes, text/plain)
2013-10-10 10:22 EDT, William Brown
no flags Details
SELinux policy for iotop te (715 bytes, text/plain)
2013-10-11 09:24 EDT, William Brown
no flags Details

  None (edit)
Description William Brown 2013-10-07 20:22:50 EDT
Description of problem:
iotop is a system administration utility to monitor IO on a system. When running with sysadm_r, it does not operate. Enabling don't audit rules the following denials are listed.

type=AVC msg=audit(1381191349.793:2103): avc:  denied  { create } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.793:2103): arch=c000003e syscall=41 success=yes exit=7 a0=10 a1=3 a2=10 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.794:2104): avc:  denied  { setopt } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.794:2104): arch=c000003e syscall=54 success=yes exit=0 a0=7 a1=1 a2=7 a3=7fff6b39f474 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.794:2105): avc:  denied  { bind } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.794:2105): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fff6b39f2a0 a2=c a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.799:2106): avc:  denied  { write } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.799:2106): arch=c000003e syscall=44 success=yes exit=36 a0=3 a1=7f98323881e4 a2=24 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.799:2107): avc:  denied  { read } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
type=SYSCALL msg=audit(1381191349.799:2107): arch=c000003e syscall=45 success=yes exit=112 a0=3 a1=28b4ef4 a2=4000 a3=0 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.976:2108): avc:  denied  { getsched } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1381191349.976:2108): arch=c000003e syscall=252 success=yes exit=4 a0=1 a1=800 a2=38c2bba780 a3=20 items=0 ppid=21676 pid=22287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts6 comm="iotop" exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1381191349.979:2109): avc:  denied  { getsched } for  pid=22287 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=process

audit2allow reveals the following rules:

#============= sysadm_t ==============
allow sysadm_t init_t:process getsched;

#!!!! This avc has a dontaudit rule in the current policy
allow sysadm_t self:netlink_socket { write bind create read setopt };
allow sysadm_t staff_t:process getsched;

Given this is the sysadm role, and you need to be root at this point, should this action be allowed? Or is iotop behaving in a manner that is not acceptable?
Comment 1 Daniel Walsh 2013-10-09 11:30:16 EDT
Were you working with Dominick Grift on policy for this?
Comment 2 William Brown 2013-10-09 16:17:15 EDT
Yes. When we have finished it, I'll post it here.
Comment 3 Miroslav Grepl 2013-10-10 09:12:07 EDT
Ok, thank you.
Comment 4 William Brown 2013-10-10 10:21:07 EDT
Created attachment 810546 [details]
SELinux policy for iotop
Comment 5 William Brown 2013-10-10 10:22:09 EDT
Created attachment 810547 [details]
SELinux policy for iotop te
Comment 6 William Brown 2013-10-10 10:22:47 EDT
Created attachment 810549 [details]
SELinux policy for iotop if
Comment 7 William Brown 2013-10-10 10:23:39 EDT
Attached te, if and fc files for iotop to run as sysadm_r. This has been reviewed on the SELinux mailing list, but I would like to hear other comments if you have them.
Comment 8 William Brown 2013-10-11 09:24:43 EDT
Created attachment 811096 [details]
SELinux policy for iotop te

This is a slightly updated version of the TE after another round of review.
Comment 9 Lukas Vrabec 2014-05-12 10:14:17 EDT
William I add your policy to rawhide.
Comment 10 Jaroslav Reznik 2015-03-03 12:10:17 EST
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 11 Fedora Update System 2015-03-06 17:08:36 EST
selinux-policy-3.13.1-116.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-116.fc22
Comment 12 Fedora Update System 2015-03-09 04:37:31 EDT
Package selinux-policy-3.13.1-116.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-116.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3508/selinux-policy-3.13.1-116.fc22
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2015-03-09 22:58:40 EDT
selinux-policy-3.13.1-116.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.