Bug 149030
Summary: | amanda fails to run | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | cch1 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-05 15:01:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2005-02-18 00:11:23 UTC
From the backup run: audit(1108699203.506:0): avc: denied { search } for pid=7283 exe=/usr/lib/amanda/amandad name=nscd dev=dm-4 ino=229381 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir audit(1108699203.507:0): avc: denied { search } for pid=7283 exe=/usr/lib/amanda/amandad name=log dev=dm-4 ino=163841 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir audit(1108699203.508:0): avc: denied { read } for pid=7283 exe=/usr/lib/amanda/amandadname=amanda dev=dm-4 ino=163855 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir audit(1108699203.508:0): avc: denied { read } for pid=7283 exe=/usr/lib/amanda/amandadname=localtime dev=dm-1 ino=63536 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:locale_t tclass=file audit(1108699203.508:0): avc: denied { getattr } for pid=7283 exe=/usr/lib/amanda/amandad path=/etc/localtime dev=dm-1 ino=63536 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:locale_t tclass=file audit(1108699203.509:0): avc: denied { write } for pid=7283 exe=/usr/lib/amanda/amandad name=amanda dev=dm-4 ino=163855 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir audit(1108699203.509:0): avc: denied { add_name } for pid=7283 exe=/usr/lib/amanda/amandad name=amandad.20050217210003.debug scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir audit(1108699203.509:0): avc: denied { create } for pid=7283 exe=/usr/lib/amanda/amandad name=amandad.20050217210003.debug scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file audit(1108699203.514:0): avc: denied { setattr } for pid=7283 exe=/usr/lib/amanda/amandad name=amandad.20050217210003.debug dev=dm-4 ino=163940 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file audit(1108699203.515:0): avc: denied { getattr } for pid=7283 exe=/usr/lib/amanda/amandad path=/var/log/amanda/amandad.20050217210003.debug dev=dm-4 ino=163940 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file audit(1108699203.515:0): avc: denied { append } for pid=7283 exe=/usr/lib/amanda/amandad path=/var/log/amanda/amandad.20050217210003.debug dev=dm-4 ino=163940 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file audit(1108699203.539:0): avc: denied { remove_name } for pid=7283 exe=/usr/lib/amanda/amandad name=amandad.noop.7283 dev=dm-4 ino=163941 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_log_t tclass=dir audit(1108699203.539:0): avc: denied { unlink } for pid=7283 exe=/usr/lib/amanda/amandad name=amandad.noop.7283 dev=dm-4 ino=163941 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file audit(1108699203.540:0): avc: denied { write } for pid=7283 exe=/usr/lib/amanda/amandad path=/var/log/amanda/amandad.noop.7283 (deleted) dev=dm-4 ino=163941 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file audit(1108699203.541:0): avc: denied { read } for pid=7283 exe=/usr/lib/amanda/amandadpath=/var/log/amanda/amandad.noop.7283 (deleted) dev=dm-4 ino=163941 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:var_log_t tclass=file audit(1108699203.582:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/export/web dev=dm-0 ino=2 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir audit(1108699203.582:0): avc: denied { read } for pid=7285 exe=/usr/lib/amanda/sendsize name=mounts dev=proc ino=-268435447 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1108699203.582:0): avc: denied { search } for pid=7285 exe=/usr/lib/amanda/sendsize name=7285 dev=proc ino=477429762 scontext=user_u:system_r:amanda_t tcontext=user_u:system_r:amanda_t tclass=dir audit(1108699203.582:0): avc: denied { read } for pid=7285 exe=/usr/lib/amanda/sendsize name=mounts dev=proc ino=477429776 scontext=user_u:system_r:amanda_t tcontext=user_u:system_r:amanda_t tclass=file audit(1108699203.582:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/proc/7285/mounts dev=proc ino=477429776 scontext=user_u:system_r:amanda_t tcontext=user_u:system_r:amanda_t tclass=file audit(1108699203.583:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/dev dev=tmpfs ino=452 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=dir audit(1108699203.583:0): avc: denied { read } for pid=7285 exe=/usr/lib/amanda/sendsize name=root dev=tmpfs ino=1337 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=lnk_file audit(1108699203.583:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/selinux dev=selinuxfs ino=158 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:security_t tclass=dir audit(1108699203.584:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/proc/bus/usb dev=usbfs ino=1598 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:usbfs_t tclass=dir audit(1108699203.585:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/sys dev=sysfs ino=1 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:sysfs_t tclass=dir audit(1108699203.585:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/dev/shm dev=tmpfs ino=3980 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:tmpfs_t tclass=dir audit(1108699203.585:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/export/ftp dev=dm-2 ino=2 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:default_t tclass=dir audit(1108699203.585:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/var dev=dm-4 ino=2 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_t tclass=dir audit(1108699203.585:0): avc: denied { search } for pid=7285 exe=/usr/lib/amanda/sendsize name=sys dev=proc ino=-268435431 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1108699203.586:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=4211 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir audit(1108699203.586:0): avc: denied { search } for pid=7285 exe=/usr/lib/amanda/sendsize name=nfs dev=dm-4 ino=196635 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:var_lib_nfs_t tclass=dir audit(1108699203.586:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/var/lib/nfs/rpc_pipefs dev=rpc_pipefs ino=5671 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:rpc_pipefs_t tclass=dir audit(1108699203.586:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/opt dev=autofs ino=6117 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:autofs_t tclass=dir audit(1108699203.586:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/proc/fs/nfsd dev=nfsd ino=6724 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:nfsd_fs_t tclass=dir audit(1108699203.587:0): avc: denied { getattr } for pid=7285 exe=/usr/lib/amanda/sendsize path=/dev/mapper/rootvg-root dev=tmpfs ino=1274 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=blk_file audit(1108699203.668:0): avc: denied { search } for pid=7290 exe=/usr/lib/amanda/runtar name=bin dev=dm-1 ino=28673 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:bin_t tclass=dir audit(1108699203.668:0): avc: denied { read } for pid=7289 exe=/usr/lib/amanda/runtar path=/bin/tar dev=dm-1 ino=28734 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:bin_t tclass=file audit(1108699203.753:0): avc: denied { search } for pid=7289 exe=/bin/tar name=/ dev=dm-2 ino=2 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:default_t tclass=dir audit(1108699203.753:0): avc: denied { read } for pid=7289 exe=/bin/tar name=/ dev=dm-2 ino=2 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:default_t tclass=dir audit(1108699203.753:0): avc: denied { getattr } for pid=7289 exe=/bin/tar path=/export/ftp/ftp dev=dm-2 ino=524289 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=dir audit(1108699203.754:0): avc: denied { read } for pid=7289 exe=/bin/tar name=ftp dev=dm-2 ino=524289 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=dir audit(1108699203.754:0): avc: denied { search } for pid=7289 exe=/bin/tar name=ftp dev=dm-2 ino=524289 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=dir audit(1108699203.755:0): avc: denied { search } for pid=7290 exe=/bin/tar name=/ dev=dm-0 ino=2 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:httpd_sys_content_ttclass=dir audit(1108699203.755:0): avc: denied { read } for pid=7290 exe=/bin/tar name=/ dev=dm-0 ino=2 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir audit(1108699203.755:0): avc: denied { getattr } for pid=7290 exe=/bin/tar path=/export/web/orderdata dev=dm-0 ino=228481 scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t tclass=dir audit(1108699203.756:0): avc: denied { getattr } for pid=7290 exe=/bin/tar path=/export/web/aquota.user dev=dm-0 ino=12 scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t tclass=file audit(1108699203.756:0): avc: denied { read } for pid=7290 exe=/bin/tar name=Alisn1L dev=dm-0 ino=32641 scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t tclass=dir audit(1108699203.756:0): avc: denied { search } for pid=7290 exe=/bin/tar name=Alisn1Ldev=dm-0 ino=32641 scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t tclass=dir audit(1108699203.756:0): avc: denied { getattr } for pid=7290 exe=/bin/tar path=/export/web/Alisn1L/index.html dev=dm-0 ino=32644 scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t tclass=lnk_file audit(1108699203.756:0): avc: denied { getattr } for pid=7289 exe=/bin/tar path=/export/ftp/ftp/pub/Ogle/ogle1nov.zip dev=dm-2 ino=606289 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=file audit(1108699203.758:0): avc: denied { getattr } for pid=7290 exe=/bin/tar path=/export/web/cora/htdig dev=dm-0 ino=1680962 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:httpd_sys_content_t tclass=lnk_file audit(1108699203.760:0): avc: denied { getattr } for pid=7289 exe=/bin/tar path=/export/ftp/ftp/pub/Ogle/Examples/Tutorial/tutorial-files/ogle dev=dm-2 ino=63 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=lnk_file audit(1108699203.941:0): avc: denied { read } for pid=7289 exe=/bin/tar name=ogle dev=dm-2 ino=63 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=lnk_file audit(1108699205.531:0): avc: denied { read } for pid=7290 exe=/bin/tar name=index.html dev=dm-0 ino=32644 scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t tclass=lnk_file audit(1108699205.549:0): avc: denied { read } for pid=7290 exe=/bin/tar name=htdig dev=dm-0 ino=1680962 scontext=user_u:system_r:amanda_t tcontext=user_u:object_r:httpd_sys_content_t tclass=lnk_file Should be fixed by selinux-policy-*-1_21_15-6 Still get some errors. Most don't appear to affect amanda functionality (or at least not what I'm doing). The following do however prevent backups of symbolic links: type=KERNEL msg=audit(1110255360.980:1407305): avc: denied { getattr } for pid=14718 exe=/bin/tar path=/export/web/pstoolkit/Status/index.html dev=dm-0 ino=1893586 scontext=user_u:system_r:amanda_t tcontext=root:object_r:httpd_sys_content_t tclass=lnk_file type=KERNEL msg=audit(1110255338.230:1309113): avc: denied { getattr } for pid=14708 exe=/bin/tar path=/export/ftp/pub/pstoolkit/README.txt dev=dm-2 ino=540866 scontext=user_u:system_r:amanda_t tcontext=root:object_r:default_t tclass=lnk_file I added the following to fix: allow amanda_t default_t:lnk_file {getattr read }; allow amanda_t httpd_sys_content_t:lnk_file {getattr read }; The following (and others) show up, but don't appear to cause problems: type=KERNEL msg=audit(1110255886.764:3058365): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/dev/mapper/rootvg-ftp dev=tmpfs ino=1298 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=blk_file type=KERNEL msg=audit(1110255886.764:3058362): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/dev/mapper/rootvg-ftp dev=tmpfs ino=1298 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=blk_file type=KERNEL msg=audit(1110255886.764:3058361): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/dev/mapper/rootvg-ftp dev=tmpfs ino=1298 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=blk_file type=KERNEL msg=audit(1110255886.764:3058350): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/proc/bus/usb dev=usbfs ino=1597 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:usbfs_t tclass=dir type=KERNEL msg=audit(1110255886.764:3058345): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/sys dev=sysfs ino=1 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:sysfs_t tclass=dir type=KERNEL msg=audit(1110255886.739:3058340): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/dev/mapper/rootvg-root dev=tmpfs ino=1283 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=blk_file type=KERNEL msg=audit(1110255886.739:3058337): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/dev/mapper/rootvg-root dev=tmpfs ino=1283 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=blk_file type=KERNEL msg=audit(1110255886.739:3058336): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/dev/mapper/rootvg-root dev=tmpfs ino=1283 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:device_t tclass=blk_file type=KERNEL msg=audit(1110255886.823:3058612): avc: denied { getattr } for pid=14714 exe=/usr/lib/amanda/sendbackup path=/sys dev=sysfs ino=1 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:sysfs_t tclass=dir type=KERNEL msg=audit(1110255886.824:3058638): avc: denied { read } for pid=14714 exe=/usr/lib/amanda/sendbackup name=mounts dev=proc ino=-268435447 scontext=user_u:system_r:amanda_t tcontext=system_u:object_r:proc_t tclass=lnk_file Think we need: dontaudit amanda_t nfsd_fs_t:dir getattr; Otherwise, I'm not getting any more amanda errors. New messages preventing amrecover (really amindexd on server) from running: Sep 16 09:58:52 alexandria kernel: audit(1126886332.295:101595): avc: denied { read write } for pid=28931 comm="amindexd" name="[2479426]" dev=sockfs ino=2479426 scontext=system_u:system_r:amanda_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket Gets started from the following xinetd entry: service amandaidx { disable = no socket_type = stream protocol = tcp wait = no user = amanda group = disk server = /usr/lib/amanda/amindexd } selinux-policy-targeted-1.25.4-10.1 Sometimes seeing: Sep 26 22:47:54 alexandria kernel: audit(1127796474.564:2928): avc: denied { connect } for pid=23129 comm="sendbackup" scontext=system_u:system_r:amanda_t tcontext=system_u:system_r:amanda_t tclass=unix_dgram_socket Sep 26 22:47:54 alexandria kernel: audit(1127796474.568:2929): avc: denied { connect } for pid=23126 comm="sendbackup" scontext=system_u:system_r:amanda_t tcontext=system_u:system_r:amanda_t tclass=unix_dgram_socket which appears to be screwing up some, though not all, backups. Weird... Going to run in permissive mode to see if it is selinux or amanda... I too have noticed problems with amanda and selinux. Specifically, amrecover fails SILENTLY (!!!) while selinux is enforcing. I am using a completley stock amanda and FC4 setup with targeted policy. Interestingly, if the amrecover client and the amindexd server are on different hosts (both FC4), selinux must be disabled on BOTH for the operation to work -although disabling it on either will at least allow error messages to be seen on the client. amanda.i386 2.4.5-2 selinux-policy-targeted.noarch 1.27.1-2.16 What avc messages are you seeing? Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed |