If you are using this package on hardened sources with selinux in strict policy, it will display "permission denied" in stack trace and exists immediately (since it is written in python). Reproducible: Always Steps to Reproduce: 1. # iotop Actual Results: It will display "permission denied" in stack trace and exists immediately (since it is written in python). Expected Results: Should behave similar to "top". I made selinux package that resolves the problem, and "iotop" works well under selinux strict policy. there is my_iotop.te selinux module / patch: --- policy_module(my_iotop,1.0.0) require { type sysadm_t; type staff_t; type user_t; } allow { sysadm_t staff_t user_t } self:netlink_socket { bind create read setopt write }; #eof --- unfortunatelly, works only when executed as root (uid 0) user.
Created attachment 178171 [details] selinux module
(In reply to comment #0) > allow { sysadm_t staff_t user_t } self:netlink_socket { bind create read setopt > write }; I don't want to add rules for generic netlink sockets. It means there is a netlink socket that SELinux doesn't know about, as opposed to netlink sockets like netlink_route_socket or netlink_selinux_socket, for example. This really needs to go to SELinux upstream to get SELinux to recognize the socket. > unfortunatelly, works only when executed as root (uid 0) user. This means it likely should only be for sysadm.
