Bug 1415506

Summary: SElinux prevents amanda dumps
Product: [Fedora] Fedora Reporter: Peter Bieringer <pb>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 25CC: dominick.grift, dwalsh, fedora, goodyca48, jridky, j, lvrabec, mgrepl, mmalik, phracek, plautrba, pmoore, rvokal, ssekidde
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-225.11.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-28 08:50:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch result none

Description Peter Bieringer 2017-01-22 20:23:35 UTC
Description of problem:
amanda dump breaks after local running of tar

Version-Release number of selected component (if applicable):
amanda-3.4.1-1.fc25.x86_64 (server and client)

How reproducible:
always


Steps to Reproduce:
1. run amdump

Disklist:
host   /boot              comp-root-tar-server
host   /etc               comp-root-tar-server
host   /home              comp-user-tar-server
host   /opt               comp-user-tar-server
host   /root              comp-root-tar-server
host   /usr               comp-root-tar-server
host   /var               comp-root-tar-server


Actual results:

Jan 22 21:17:09 **** python3[8092]: SELinux is preventing amandad from getattr access on the filesystem /run/user/1001.
                                                        
                                                        *****  Plugin catchall (100. confidence) suggests   **************************
                                                        
                                                        If you believe that amandad should be allowed getattr access on the 1001 filesystem by default.
                                                        Then you should report this as a bug.
                                                        You can generate a local policy module to allow this access.
                                                        Do
                                                        allow this access for now by executing:
                                                        # ausearch -c 'amandad' --raw | audit2allow -M my-amandad
                                                        # semodule -X 300 -i my-amandad.pp
                                                        

Expected results:

working


Additional info:

type=AVC msg=audit(1485116215.529:702): avc:  denied  { getattr } for  pid=11788 comm="amandad" name="/" dev="tmpfs" ino=31004 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Found more directories:

python3: SELinux is preventing amandad from getattr access on the filesystem /dev/shm.
python3: SELinux is preventing amandad from getattr access on the filesystem /run.
python3: SELinux is preventing amandad from getattr access on the filesystem /run/user/1001.
python3: SELinux is preventing amandad from getattr access on the filesystem /sys/fs/cgroup.
python3: SELinux is preventing amandad from getattr access on the filesystem /tmp.

Comment 2 Milos Malik 2017-01-23 07:38:22 UTC
More rules may be needed, but this is a good start:

# cat bz1415506.cil 
( allow amanda_t tmpfs_t ( filesystem ( getattr )))

# semodule -i bz1415506.cil 
#

Comment 3 Milos Malik 2017-01-23 07:47:02 UTC
To see all SELinux denials that are generated by your scenario, it would be better to switch the amanda_t domain to permissive and re-run your scenario:

# dnf -y -q install /usr/sbin/semanage
# semanage permissive -a amanda_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent

Comment 4 Peter Bieringer 2017-01-23 19:21:39 UTC
Created attachment 1243752 [details]
ausearch result

attached ausearch result as requested

ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i  |grep amanda |grep "23.01" | cut -c 51- | sort | uniq >/tmp/amanda-selinux.txt

Comment 5 Milos Malik 2017-01-24 16:42:39 UTC
Could you help us, Lukas?

Comment 6 Jason Tibbitts 2017-01-24 16:52:49 UTC
And if someone is looking into the amanda policy, https://bugzilla.redhat.com/show_bug.cgi?id=1414140 is another open ticket.

Also, this ticket should be open against the selinux-policy component, not amanda, since there's nothing that can be changed in amanda to fix this.  But I'll let Josef reassign it if he wants to do that.

Comment 7 Josef Ridky 2017-01-24 19:39:13 UTC
Reassign to selinux-policy. 
Feel free to change it in case, it should be solved by someone else.

Comment 8 Fedora Update System 2017-02-27 11:29:48 UTC
selinux-policy-3.13.1-225.11.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b

Comment 9 Fedora Update System 2017-02-27 23:52:11 UTC
selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b

Comment 10 Fedora Update System 2017-02-28 08:50:05 UTC
selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.