Bug 149030
| Summary: | amanda fails to run | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | cch1 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-05-05 15:01:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
From the backup run:
audit(1108699203.506:0): avc: denied { search } for pid=7283
exe=/usr/lib/amanda/amandad name=nscd dev=dm-4 ino=229381
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
audit(1108699203.507:0): avc: denied { search } for pid=7283
exe=/usr/lib/amanda/amandad name=log dev=dm-4 ino=163841
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir
audit(1108699203.508:0): avc: denied { read } for pid=7283
exe=/usr/lib/amanda/amandadname=amanda dev=dm-4 ino=163855
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir
audit(1108699203.508:0): avc: denied { read } for pid=7283
exe=/usr/lib/amanda/amandadname=localtime dev=dm-1 ino=63536
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:locale_t tclass=file
audit(1108699203.508:0): avc: denied { getattr } for pid=7283
exe=/usr/lib/amanda/amandad path=/etc/localtime dev=dm-1 ino=63536
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:locale_t tclass=file
audit(1108699203.509:0): avc: denied { write } for pid=7283
exe=/usr/lib/amanda/amandad name=amanda dev=dm-4 ino=163855
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir
audit(1108699203.509:0): avc: denied { add_name } for pid=7283
exe=/usr/lib/amanda/amandad name=amandad.20050217210003.debug
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir
audit(1108699203.509:0): avc: denied { create } for pid=7283
exe=/usr/lib/amanda/amandad name=amandad.20050217210003.debug
scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file
audit(1108699203.514:0): avc: denied { setattr } for pid=7283
exe=/usr/lib/amanda/amandad name=amandad.20050217210003.debug dev=dm-4
ino=163940 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t
tclass=file
audit(1108699203.515:0): avc: denied { getattr } for pid=7283
exe=/usr/lib/amanda/amandad path=/var/log/amanda/amandad.20050217210003.debug
dev=dm-4 ino=163940 scontext=user_u:system_r:amanda_t
tcontext=user_u:object_r:var_log_t tclass=file
audit(1108699203.515:0): avc: denied { append } for pid=7283
exe=/usr/lib/amanda/amandad path=/var/log/amanda/amandad.20050217210003.debug
dev=dm-4 ino=163940 scontext=user_u:system_r:amanda_t
tcontext=user_u:object_r:var_log_t tclass=file
audit(1108699203.539:0): avc: denied { remove_name } for pid=7283
exe=/usr/lib/amanda/amandad name=amandad.noop.7283 dev=dm-4 ino=163941
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir
audit(1108699203.539:0): avc: denied { unlink } for pid=7283
exe=/usr/lib/amanda/amandad name=amandad.noop.7283 dev=dm-4 ino=163941
scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file
audit(1108699203.540:0): avc: denied { write } for pid=7283
exe=/usr/lib/amanda/amandad path=/var/log/amanda/amandad.noop.7283 (deleted)
dev=dm-4 ino=163941 scontext=user_u:system_r:amanda_t
tcontext=user_u:object_r:var_log_t tclass=file
audit(1108699203.541:0): avc: denied { read } for pid=7283
exe=/usr/lib/amanda/amandadpath=/var/log/amanda/amandad.noop.7283 (deleted)
dev=dm-4 ino=163941 scontext=user_u:system_r:amanda_t
tcontext=user_u:object_r:var_log_t tclass=file
audit(1108699203.582:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/export/web dev=dm-0 ino=2
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:httpd_sys_content_t
tclass=dir
audit(1108699203.582:0): avc: denied { read } for pid=7285
exe=/usr/lib/amanda/sendsize name=mounts dev=proc ino=-268435447
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:proc_t tclass=lnk_file
audit(1108699203.582:0): avc: denied { search } for pid=7285
exe=/usr/lib/amanda/sendsize name=7285 dev=proc ino=477429762
scontext=user_u:system_r:amanda_t tcontext=user_u:system_r:amanda_t tclass=dir
audit(1108699203.582:0): avc: denied { read } for pid=7285
exe=/usr/lib/amanda/sendsize name=mounts dev=proc ino=477429776
scontext=user_u:system_r:amanda_t tcontext=user_u:system_r:amanda_t tclass=file
audit(1108699203.582:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/proc/7285/mounts dev=proc ino=477429776
scontext=user_u:system_r:amanda_t tcontext=user_u:system_r:amanda_t tclass=file
audit(1108699203.583:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/dev dev=tmpfs ino=452
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=dir
audit(1108699203.583:0): avc: denied { read } for pid=7285
exe=/usr/lib/amanda/sendsize name=root dev=tmpfs ino=1337
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=lnk_file
audit(1108699203.583:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/selinux dev=selinuxfs ino=158
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:security_t tclass=dir
audit(1108699203.584:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/proc/bus/usb dev=usbfs ino=1598
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:usbfs_t tclass=dir
audit(1108699203.585:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/sys dev=sysfs ino=1
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:sysfs_t tclass=dir
audit(1108699203.585:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/dev/shm dev=tmpfs ino=3980
scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:tmpfs_t tclass=dir
audit(1108699203.585:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/export/ftp dev=dm-2 ino=2
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:default_t tclass=dir
audit(1108699203.585:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/var dev=dm-4 ino=2
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_t tclass=dir
audit(1108699203.585:0): avc: denied { search } for pid=7285
exe=/usr/lib/amanda/sendsize name=sys dev=proc ino=-268435431
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:sysctl_t tclass=dir
audit(1108699203.586:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/proc/sys/fs/binfmt_misc dev=binfmt_misc
ino=4211 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
audit(1108699203.586:0): avc: denied { search } for pid=7285
exe=/usr/lib/amanda/sendsize name=nfs dev=dm-4 ino=196635
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_lib_nfs_t
tclass=dir
audit(1108699203.586:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/var/lib/nfs/rpc_pipefs dev=rpc_pipefs
ino=5671 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:rpc_pipefs_t tclass=dir
audit(1108699203.586:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/opt dev=autofs ino=6117
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:autofs_t tclass=dir
audit(1108699203.586:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/proc/fs/nfsd dev=nfsd ino=6724
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:nfsd_fs_t tclass=dir
audit(1108699203.587:0): avc: denied { getattr } for pid=7285
exe=/usr/lib/amanda/sendsize path=/dev/mapper/rootvg-root dev=tmpfs ino=1274
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=blk_file
audit(1108699203.668:0): avc: denied { search } for pid=7290
exe=/usr/lib/amanda/runtar name=bin dev=dm-1 ino=28673
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:bin_t tclass=dir
audit(1108699203.668:0): avc: denied { read } for pid=7289
exe=/usr/lib/amanda/runtar path=/bin/tar dev=dm-1 ino=28734
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:bin_t tclass=file
audit(1108699203.753:0): avc: denied { search } for pid=7289 exe=/bin/tar
name=/ dev=dm-2 ino=2 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1108699203.753:0): avc: denied { read } for pid=7289 exe=/bin/tar
name=/ dev=dm-2 ino=2 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1108699203.753:0): avc: denied { getattr } for pid=7289 exe=/bin/tar
path=/export/ftp/ftp dev=dm-2 ino=524289 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:default_t tclass=dir
audit(1108699203.754:0): avc: denied { read } for pid=7289 exe=/bin/tar
name=ftp dev=dm-2 ino=524289 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:default_t tclass=dir
audit(1108699203.754:0): avc: denied { search } for pid=7289 exe=/bin/tar
name=ftp dev=dm-2 ino=524289 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:default_t tclass=dir
audit(1108699203.755:0): avc: denied { search } for pid=7290 exe=/bin/tar
name=/ dev=dm-0 ino=2 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:httpd_sys_content_ttclass=dir
audit(1108699203.755:0): avc: denied { read } for pid=7290 exe=/bin/tar
name=/ dev=dm-0 ino=2 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
audit(1108699203.755:0): avc: denied { getattr } for pid=7290 exe=/bin/tar
path=/export/web/orderdata dev=dm-0 ino=228481 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:httpd_sys_content_t tclass=dir
audit(1108699203.756:0): avc: denied { getattr } for pid=7290 exe=/bin/tar
path=/export/web/aquota.user dev=dm-0 ino=12 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
audit(1108699203.756:0): avc: denied { read } for pid=7290 exe=/bin/tar
name=Alisn1L dev=dm-0 ino=32641 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:httpd_sys_content_t tclass=dir
audit(1108699203.756:0): avc: denied { search } for pid=7290 exe=/bin/tar
name=Alisn1Ldev=dm-0 ino=32641 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:httpd_sys_content_t tclass=dir
audit(1108699203.756:0): avc: denied { getattr } for pid=7290 exe=/bin/tar
path=/export/web/Alisn1L/index.html dev=dm-0 ino=32644
scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t
tclass=lnk_file
audit(1108699203.756:0): avc: denied { getattr } for pid=7289 exe=/bin/tar
path=/export/ftp/ftp/pub/Ogle/ogle1nov.zip dev=dm-2 ino=606289
scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=file
audit(1108699203.758:0): avc: denied { getattr } for pid=7290 exe=/bin/tar
path=/export/web/cora/htdig dev=dm-0 ino=1680962
scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:httpd_sys_content_t
tclass=lnk_file
audit(1108699203.760:0): avc: denied { getattr } for pid=7289 exe=/bin/tar
path=/export/ftp/ftp/pub/Ogle/Examples/Tutorial/tutorial-files/ogle dev=dm-2
ino=63 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t
tclass=lnk_file
audit(1108699203.941:0): avc: denied { read } for pid=7289 exe=/bin/tar
name=ogle dev=dm-2 ino=63 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:default_t tclass=lnk_file
audit(1108699205.531:0): avc: denied { read } for pid=7290 exe=/bin/tar
name=index.html dev=dm-0 ino=32644 scontext=user_u:system_r:amanda_t
tcontext=root:object_r:httpd_sys_content_t tclass=lnk_file
audit(1108699205.549:0): avc: denied { read } for pid=7290 exe=/bin/tar
name=htdig dev=dm-0 ino=1680962 scontext=user_u:system_r:amanda_t
tcontext=user_u:object_r:httpd_sys_content_t tclass=lnk_file
Should be fixed by selinux-policy-*-1_21_15-6 Still get some errors. Most don't appear to affect amanda
functionality (or at least not what I'm doing). The following do
however prevent backups of symbolic links:
type=KERNEL msg=audit(1110255360.980:1407305): avc: denied { getattr
} for pid=14718 exe=/bin/tar
path=/export/web/pstoolkit/Status/index.html dev=dm-0 ino=1893586
scontext=user_u:system_r:amanda_t
tcontext=root:object_r:httpd_sys_content_t tclass=lnk_file
type=KERNEL msg=audit(1110255338.230:1309113): avc: denied { getattr
} for pid=14708 exe=/bin/tar
path=/export/ftp/pub/pstoolkit/README.txt dev=dm-2 ino=540866
scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t
tclass=lnk_file
I added the following to fix:
allow amanda_t default_t:lnk_file {getattr read };
allow amanda_t httpd_sys_content_t:lnk_file {getattr read };
The following (and others) show up, but don't appear to cause problems:
type=KERNEL msg=audit(1110255886.764:3058365): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup
path=/dev/mapper/rootvg-ftp dev=tmpfs ino=1298
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=blk_file
type=KERNEL msg=audit(1110255886.764:3058362): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup
path=/dev/mapper/rootvg-ftp dev=tmpfs ino=1298
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=blk_file
type=KERNEL msg=audit(1110255886.764:3058361): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup
path=/dev/mapper/rootvg-ftp dev=tmpfs ino=1298
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=blk_file
type=KERNEL msg=audit(1110255886.764:3058350): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup path=/proc/bus/usb
dev=usbfs ino=1597 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:usbfs_t tclass=dir
type=KERNEL msg=audit(1110255886.764:3058345): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup path=/sys dev=sysfs
ino=1 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:sysfs_t tclass=dir
type=KERNEL msg=audit(1110255886.739:3058340): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup
path=/dev/mapper/rootvg-root dev=tmpfs ino=1283
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=blk_file
type=KERNEL msg=audit(1110255886.739:3058337): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup
path=/dev/mapper/rootvg-root dev=tmpfs ino=1283
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=blk_file
type=KERNEL msg=audit(1110255886.739:3058336): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup
path=/dev/mapper/rootvg-root dev=tmpfs ino=1283
scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t
tclass=blk_file
type=KERNEL msg=audit(1110255886.823:3058612): avc: denied { getattr
} for pid=14714 exe=/usr/lib/amanda/sendbackup path=/sys dev=sysfs
ino=1 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:sysfs_t tclass=dir
type=KERNEL msg=audit(1110255886.824:3058638): avc: denied { read }
for pid=14714 exe=/usr/lib/amanda/sendbackup name=mounts dev=proc
ino=-268435447 scontext=user_u:system_r:amanda_t
tcontext=system_u:object_r:proc_t tclass=lnk_file
Think we need: dontaudit amanda_t nfsd_fs_t:dir getattr; Otherwise, I'm not getting any more amanda errors. New messages preventing amrecover (really amindexd on server) from running:
Sep 16 09:58:52 alexandria kernel: audit(1126886332.295:101595): avc: denied {
read write } for pid=28931 comm="amindexd" name="[2479426]" dev=sockfs
ino=2479426 scontext=system_u:system_r:amanda_t
tcontext=system_u:system_r:inetd_t tclass=tcp_socket
Gets started from the following xinetd entry:
service amandaidx
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = amanda
group = disk
server = /usr/lib/amanda/amindexd
}
selinux-policy-targeted-1.25.4-10.1
Sometimes seeing:
Sep 26 22:47:54 alexandria kernel: audit(1127796474.564:2928): avc: denied {
connect } for pid=23129 comm="sendbackup" scontext=system_u:system_r:amanda_t
tcontext=system_u:system_r:amanda_t tclass=unix_dgram_socket
Sep 26 22:47:54 alexandria kernel: audit(1127796474.568:2929): avc: denied {
connect } for pid=23126 comm="sendbackup" scontext=system_u:system_r:amanda_t
tcontext=system_u:system_r:amanda_t tclass=unix_dgram_socket
which appears to be screwing up some, though not all, backups. Weird...
Going to run in permissive mode to see if it is selinux or amanda...
I too have noticed problems with amanda and selinux. Specifically, amrecover fails SILENTLY (!!!) while selinux is enforcing. I am using a completley stock amanda and FC4 setup with targeted policy. Interestingly, if the amrecover client and the amindexd server are on different hosts (both FC4), selinux must be disabled on BOTH for the operation to work -although disabling it on either will at least allow error messages to be seen on the client. amanda.i386 2.4.5-2 selinux-policy-targeted.noarch 1.27.1-2.16 What avc messages are you seeing? Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed |
Description of problem: Trying to setup amanda backup of an selinux system. Get the following denials when running amcheck on the server: Feb 17 17:05:11 hawk kernel: audit(1108685111.604:0): avc: denied { search } for pid=5036 exe=/usr/lib/amanda/amandad name=nscd dev=dm-4 ino=229381 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Feb 17 17:05:11 hawk kernel: audit(1108685111.604:0): avc: denied { search } for pid=5036 exe=/usr/lib/amanda/amandad name=nscd dev=dm-4 ino=229381 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Feb 17 17:05:11 hawk kernel: audit(1108685111.605:0): avc: denied { search } for pid=5036 exe=/usr/lib/amanda/amandad name=log dev=dm-4 ino=163841 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir Feb 17 17:05:11 hawk kernel: audit(1108685111.606:0): avc: denied { search } for pid=5036 exe=/usr/lib/amanda/amandad name=log dev=dm-4 ino=163841 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir Feb 17 17:05:11 hawk last message repeated 4 times Feb 17 17:05:11 hawk kernel: audit(1108685111.607:0): avc: denied { search } for pid=5036 exe=/usr/lib/amanda/amandad name=log dev=dm-4 ino=163841 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir Feb 17 17:05:11 hawk last message repeated 4 times Feb 17 17:05:11 hawk kernel: audit(1108685111.608:0): avc: denied { read } for pid=5036 exe=/usr/lib/amanda/amandad name=localtime dev=dm-1 ino=63536 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:locale_t tclass=file Feb 17 17:05:11 hawk last message repeated 3 times Feb 17 17:05:11 hawk kernel: audit(1108685111.608:0): avc: denied { connect } for pid=5036 exe=/usr/lib/amanda/amandad scontext=user_u:system_r:amanda_t tcontext=user_u:system_r:amanda_t tclass=unix_dgram_socket Version-Release number of selected component (if applicable): selinux-policy-targeted-1.21.14-1 I'll try to get logs from the actual backup run tonight. Also of note - the amanda package is a custom package of amanda-2.4.5b1-20041111