On Wed, 2013-10-09 at 08:04 +1030, William Brown wrote:
I made a 30 minute demonstration about creating policy for iotop (on rhel6) : https://www.youtube.com/watch?v=WcF9QkqLcKs
Fantastic. Thanks for your combined emails. It has revealed a lot to me. I'll watch your video, and will create a similar policy for iotop on Fedora. If you don't mind, I'll post it here for review once I'm done.
sure, you can post it but if the policy looks like the one i created in my video then its ok
Well hopefully it does. I'm not aiming to copy your policy directly, as I want to learn the steps so I can write these for myself.
I have already run into one issue. I have created an iotop module and iotop_sysadm module, but once loaded I see a number of errors in ausearch like:
libsepol.sepol_context_to_sid: could not convert staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023 to sid libsepol.context_from_record: invalid security context: "staff_u:sysadm_r:iotop_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure
My research shows this is when you forget the "s0" on a file context, but this isn't the case here.
I've attached my policy that I have partially written at this point, and any advice would be appreciated on this.
It might be related to the roleattribute stuff did you try it like i did in my example by commenting the roleattribute/attribute_role stuff out and using the old was of assoviating the sysadm_r role to iotop_t?
is sysadm_r associotated to staff_u? is the full mcs range associated to staff_u and to your linux uid/gid?