Description of problem: SELinux is preventing /usr/bin/atop from 'create' accesses on the rawip_socket . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that atop should be allowed create access on the rawip_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep atop /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_t:s0-s0:c0.c1023 Target Context staff_u:staff_r:staff_t:s0-s0:c0.c1023 Target Objects [ rawip_socket ] Source atop Source Path /usr/bin/atop Port <Unknown> Host (removed) Source RPM Packages atop-2.0.2-2.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.13.3-201.fc20.x86_64 #1 SMP Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-02-28 06:16:18 EST Last Seen 2014-02-28 06:16:18 EST Local ID 13d7c139-7283-4134-9fb7-9fce3518eb95 Raw Audit Messages type=AVC msg=audit(1393586178.873:1456): avc: denied { create } for pid=1020 comm="atop" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=rawip_socket type=SYSCALL msg=audit(1393586178.873:1456): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=3 a2=ff a3=0 items=0 ppid=3940 pid=1020 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=pts0 comm=atop exe=/usr/bin/atop subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash: atop,staff_t,staff_t,rawip_socket,create Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.13.3-201.fc20.x86_64 type: libreport
I believe we don't want to allow this access for staff_t. It looks we will need to add a new policy also for /usr/lib/systemd/system/atop.service $ rpm -ql atop /etc/cron.d/atop /etc/logrotate.d/atop /etc/sysconfig/atop /usr/bin/atop /usr/bin/atopd /usr/bin/atopsar /usr/lib/systemd/system/atop.service /usr/share/doc/atop /usr/share/doc/atop/AUTHOR /usr/share/doc/atop/COPYING /usr/share/doc/atop/ChangeLog /usr/share/doc/atop/README /usr/share/doc/atop/README.fedora /usr/share/man/man1/atop.1.gz /usr/share/man/man1/atopsar.1.gz /var/log/atop
Yes we should dontaudit this for all users. The problem is the rawip_socket is checked for MAC before DAC. A non priv user would not be allowed this access via DAC, and so the SELinux AVC is just noice.
34c635d122d0fbbdb180b79568061a7b259c2893 dontaudit this in git.
Yes, my point is you can end up with a priv user running as sysadm SELinux user for example and you are going to be blocked to use this tool.
back ported.
selinux-policy-3.12.1-149.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-149.fc20
Package selinux-policy-3.12.1-149.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-149.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4604/selinux-policy-3.12.1-149.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-149.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.