Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 254643 - sys-process/iotop-0.2.1 selinux policy
Summary: sys-process/iotop-0.2.1 selinux policy
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords: Bug
Depends on:
Blocks:
 
Reported: 2009-01-12 14:05 UTC by Marian 'VooDooMan' Meravy
Modified: 2009-08-18 18:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
selinux module (my_iotop.te,193 bytes, text/plain)
2009-01-12 14:17 UTC, Marian 'VooDooMan' Meravy
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marian 'VooDooMan' Meravy 2009-01-12 14:05:41 UTC
If you are using this package on hardened sources with selinux in strict policy, it will display "permission denied" in stack trace and exists immediately (since it is written in python).

Reproducible: Always

Steps to Reproduce:
1. # iotop

Actual Results:  
It will display "permission denied" in stack trace and exists immediately (since it is written in python).

Expected Results:  
Should behave similar to "top".

I made selinux package that resolves the problem, and "iotop" works well under selinux strict policy.

there is my_iotop.te selinux module / patch:

---
policy_module(my_iotop,1.0.0)

require {
    type sysadm_t;
    type staff_t;
    type user_t;
}

allow { sysadm_t staff_t user_t } self:netlink_socket { bind create read setopt write };

#eof

---

unfortunatelly, works only when executed as root (uid 0) user.
Comment 1 Marian 'VooDooMan' Meravy 2009-01-12 14:17:47 UTC
Created attachment 178171 [details]
selinux module
Comment 2 Chris PeBenito (RETIRED) gentoo-dev 2009-08-18 18:18:21 UTC
(In reply to comment #0)
> allow { sysadm_t staff_t user_t } self:netlink_socket { bind create read setopt
> write };

I don't want to add rules for generic netlink sockets.  It means there is a netlink socket that SELinux doesn't know about, as opposed to netlink sockets like netlink_route_socket or netlink_selinux_socket, for example.  This really needs to go to SELinux upstream to get SELinux to recognize the socket.

> unfortunatelly, works only when executed as root (uid 0) user.

This means it likely should only be for sysadm.