Hi,
I recently raised a bug[1] that while using confined users / system administrators iotop would not work. Normally, iotop only runs as root, so reasonably, it shouldn't run as staff_t, but it should be able to run while in sysadm_t.
Initially I have created the template with:
sepolicy generate --application /usr/sbin/iotop
I have build and installed this basic template for now, and of course as predicted I'm still having some issues with denials.
Am I on the right track to setup iotop with a iotop_t policy so that it can access the kernel resources it needs when a user with sysadm_t calls it? Given the messages I am seeing now are as follows:
type=AVC msg=audit(1381226118.448:6322): avc: denied { create } for pid=19326 comm="iotop" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_socket
I assume that sysadm_t is not allowed to transition to iotop_t. What is the right way to write this into my te file? I note that in the selinux reference policy there are a number of calls to:
optional_policy(` uml_role(sysadm_r, sysadm_t) ')
What is the function of the <domain>_role() call, and is this what I should be using (I have iotop_role in my if)
Following that, what is the correct way to allow the sysadm_t to execute this, but not staff_t etc?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=10163