iotop not working on RHEL 7.5 when SELinux is enforcing

iotop is not working on my RHEL 7.5 system when SELinux is enforcing and I don't get any SELinux notices when using ausearch. There is no relevant information in /var/log/messages or journalctl either. Does anyone know what else I can do to figure out how to identify exactly what SELinux is not allowing?

I run iotop and it errors out. I turn off SELinux and run it again and it works. I turn SELinux back on and it stops working again.

$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ sudo -r sysadm_r -i
[sudo] password for username: 
# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
# getenforce
Enforcing
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
# uname -a
Linux hostname 3.10.0-862.6.3.el7.x86_64 #1 SMP Fri Jun 15 17:57:37 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
# yum list iotop
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Installed Packages
iotop.noarch                                                            0.6-2.el7                                                            @rhel-7-server-rpms
# rpm -qa | grep iotop
iotop-0.6-2.el7.noarch
# rpm -Va iotop-0.6-2.el7.noarch
# 

# iotop
Traceback (most recent call last):
  File "/sbin/iotop", line 10, in <module>
    from iotop.ui import main
  File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 33, in <module>
    from iotop.data import find_uids, TaskStatsNetlink, ProcessList, Stats
  File "/usr/lib/python2.7/site-packages/iotop/data.py", line 59, in <module>
    from iotop.genetlink import Controller, GeNlMessage
  File "/usr/lib/python2.7/site-packages/iotop/genetlink.py", line 72, in <module>
    connection = Connection(NETLINK_GENERIC)
  File "/usr/lib/python2.7/site-packages/iotop/netlink.py", line 206, in __init__
    socket.SOCK_RAW, nltype)
  File "/usr/lib64/python2.7/socket.py", line 187, in __init__
    _sock = _realsocket(family, type, proto)
socket.error: [Errno 13] Permission denied

# iotop --help
Traceback (most recent call last):
  File "/sbin/iotop", line 10, in <module>
    from iotop.ui import main
  File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 33, in <module>
    from iotop.data import find_uids, TaskStatsNetlink, ProcessList, Stats
  File "/usr/lib/python2.7/site-packages/iotop/data.py", line 59, in <module>
    from iotop.genetlink import Controller, GeNlMessage
  File "/usr/lib/python2.7/site-packages/iotop/genetlink.py", line 72, in <module>
    connection = Connection(NETLINK_GENERIC)
  File "/usr/lib/python2.7/site-packages/iotop/netlink.py", line 206, in __init__
    socket.SOCK_RAW, nltype)
  File "/usr/lib64/python2.7/socket.py", line 187, in __init__
    _sock = _realsocket(family, type, proto)
socket.error: [Errno 13] Permission denied

# ausearch -m avc,user_avc --start recent
<no matches>

# setenforce 0
# iotop --help
Usage: /sbin/iotop [OPTIONS]

DISK READ and DISK WRITE are the block I/O bandwidth used during the sampling
period. SWAPIN and IO are the percentages of time the thread spent respectively
while swapping in and waiting on I/O more generally. PRIO is the I/O priority at
which the thread is running (set using the ionice command).

Controls: left and right arrows to change the sorting column, r to invert the
sorting order, o to toggle the --only option, p to toggle the --processes
option, a to toggle the --accumulated option, i to change I/O priority, q to
quit, any other key to force a refresh.

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o, --only            only show processes or threads actually doing I/O
  -b, --batch           non-interactive mode
  -n NUM, --iter=NUM    number of iterations before ending [infinite]
  -d SEC, --delay=SEC   delay between iterations [1 second]
  -p PID, --pid=PID     processes/threads to monitor [all]
  -u USER, --user=USER  users to monitor [all]
  -P, --processes       only show processes, not all threads
  -a, --accumulated     show accumulated I/O instead of bandwidth
  -k, --kilobytes       use kilobytes instead of a human friendly unit
  -t, --time            add a timestamp on each line (implies --batch)
  -q, --quiet           suppress some lines of header (implies --batch)

# setenforce 1
# iotop --help
Traceback (most recent call last):
  File "/sbin/iotop", line 10, in <module>
    from iotop.ui import main
  File "/usr/lib/python2.7/site-packages/iotop/ui.py", line 33, in <module>
    from iotop.data import find_uids, TaskStatsNetlink, ProcessList, Stats
  File "/usr/lib/python2.7/site-packages/iotop/data.py", line 59, in <module>
    from iotop.genetlink import Controller, GeNlMessage
  File "/usr/lib/python2.7/site-packages/iotop/genetlink.py", line 72, in <module>
    connection = Connection(NETLINK_GENERIC)
  File "/usr/lib/python2.7/site-packages/iotop/netlink.py", line 206, in __init__
    socket.SOCK_RAW, nltype)
  File "/usr/lib64/python2.7/socket.py", line 187, in __init__
    _sock = _realsocket(family, type, proto)
socket.error: [Errno 13] Permission denied

# ausearch -m avc,user_avc --start recent | grep iotop
# ausearch -c 'iotop' --start recent
<no matches>
# 

EDIT 1:

It looks like the call to socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) works, but the call to socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) fails with permission denied.

So looking at the change log for selinux-policy 3.14.1, there is a note that says:

- allow sysadm_t to create netlink generic sockets bz(1547874)

But the selinux-policy package that comes with RHEL 7.5 is 3.13.1 which doesn't have any references to NETLINK GENERIC sockets. Could this be the reason why it's failing? And if so, how do I create a SELinux exception to allow it?