iotop not working on RHEL 7.5 when SELinux is enforcing
iotop is not working on my RHEL 7.5 system when SELinux is enforcing and I don't get any SELinux notices when using ausearch. There is no relevant information in /var/log/messages or journalctl either. Does anyone know what else I can do to figure out how to identify exactly what SELinux is not allowing?
I run iotop and it errors out. I turn off SELinux and run it again and it works. I turn SELinux back on and it stops working again.
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ sudo -r sysadm_r -i
[sudo] password for username:
# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
# getenforce
Enforcing
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
# uname -a
Linux hostname 3.10.0-862.6.3.el7.x86_64 #1 SMP Fri Jun 15 17:57:37 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
# yum list iotop
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Installed Packages
iotop.noarch 0.6-2.el7 @rhel-7-server-rpms
# rpm -qa | grep iotop
iotop-0.6-2.el7.noarch
# rpm -Va iotop-0.6-2.el7.noarch
#
# iotop
Traceback (most recent call last):
File "/sbin/iotop", line 10, in <module>
from iotop.ui import main
File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 33, in <module>
from iotop.data import find_uids, TaskStatsNetlink, ProcessList, Stats
File "/usr/lib/python2.7/site-packages/iotop/data.py", line 59, in <module>
from iotop.genetlink import Controller, GeNlMessage
File "/usr/lib/python2.7/site-packages/iotop/genetlink.py", line 72, in <module>
connection = Connection(NETLINK_GENERIC)
File "/usr/lib/python2.7/site-packages/iotop/netlink.py", line 206, in __init__
socket.SOCK_RAW, nltype)
File "/usr/lib64/python2.7/socket.py", line 187, in __init__
_sock = _realsocket(family, type, proto)
socket.error: [Errno 13] Permission denied
# iotop --help
Traceback (most recent call last):
File "/sbin/iotop", line 10, in <module>
from iotop.ui import main
File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 33, in <module>
from iotop.data import find_uids, TaskStatsNetlink, ProcessList, Stats
File "/usr/lib/python2.7/site-packages/iotop/data.py", line 59, in <module>
from iotop.genetlink import Controller, GeNlMessage
File "/usr/lib/python2.7/site-packages/iotop/genetlink.py", line 72, in <module>
connection = Connection(NETLINK_GENERIC)
File "/usr/lib/python2.7/site-packages/iotop/netlink.py", line 206, in __init__
socket.SOCK_RAW, nltype)
File "/usr/lib64/python2.7/socket.py", line 187, in __init__
_sock = _realsocket(family, type, proto)
socket.error: [Errno 13] Permission denied
# ausearch -m avc,user_avc --start recent
<no matches>
# setenforce 0
# iotop --help
Usage: /sbin/iotop [OPTIONS]
DISK READ and DISK WRITE are the block I/O bandwidth used during the sampling
period. SWAPIN and IO are the percentages of time the thread spent respectively
while swapping in and waiting on I/O more generally. PRIO is the I/O priority at
which the thread is running (set using the ionice command).
Controls: left and right arrows to change the sorting column, r to invert the
sorting order, o to toggle the --only option, p to toggle the --processes
option, a to toggle the --accumulated option, i to change I/O priority, q to
quit, any other key to force a refresh.
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-o, --only only show processes or threads actually doing I/O
-b, --batch non-interactive mode
-n NUM, --iter=NUM number of iterations before ending [infinite]
-d SEC, --delay=SEC delay between iterations [1 second]
-p PID, --pid=PID processes/threads to monitor [all]
-u USER, --user=USER users to monitor [all]
-P, --processes only show processes, not all threads
-a, --accumulated show accumulated I/O instead of bandwidth
-k, --kilobytes use kilobytes instead of a human friendly unit
-t, --time add a timestamp on each line (implies --batch)
-q, --quiet suppress some lines of header (implies --batch)
# setenforce 1
# iotop --help
Traceback (most recent call last):
File "/sbin/iotop", line 10, in <module>
from iotop.ui import main
File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 33, in <module>
from iotop.data import find_uids, TaskStatsNetlink, ProcessList, Stats
File "/usr/lib/python2.7/site-packages/iotop/data.py", line 59, in <module>
from iotop.genetlink import Controller, GeNlMessage
File "/usr/lib/python2.7/site-packages/iotop/genetlink.py", line 72, in <module>
connection = Connection(NETLINK_GENERIC)
File "/usr/lib/python2.7/site-packages/iotop/netlink.py", line 206, in __init__
socket.SOCK_RAW, nltype)
File "/usr/lib64/python2.7/socket.py", line 187, in __init__
_sock = _realsocket(family, type, proto)
socket.error: [Errno 13] Permission denied
# ausearch -m avc,user_avc --start recent | grep iotop
# ausearch -c 'iotop' --start recent
<no matches>
#
EDIT 1:
It looks like the call to socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) works, but the call to socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) fails with permission denied.
So looking at the change log for selinux-policy 3.14.1, there is a note that says:
- allow sysadm_t to create netlink generic sockets bz(1547874)
But the selinux-policy package that comes with RHEL 7.5 is 3.13.1 which doesn't have any references to NETLINK GENERIC sockets. Could this be the reason why it's failing? And if so, how do I create a SELinux exception to allow it?