Bug 165830
Summary: | targeted policy stops amanda from backing up / with tar | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alexandre Oliva <oliva> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | stephen.walton |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.27.1-2.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-10-28 14:21:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexandre Oliva
2005-08-12 16:54:51 UTC
Could you attach the avc messages from /var/log/audit/audit.log or /var/log/messages? This is only example from a session that displayed all of the above errors. I wonder why none of the others made it to the logs. type=AVC msg=audit(1123291981.134:1169): avc: denied { getattr } for pid=32126 comm="tar" name=".gdmfifo" dev=dm-0 ino=2511528 scontext=system_u:system_r:amanda_t tcontext=system_u:object_r:xserver_log_t tclass=fifo_file type=SYSCALL msg=audit(1123291981.134:1169): arch=40000003 syscall=196 success=no exit=-13 a0=8d90498 a1=bfd57534 a2=235ff4 a3=8 items=1 pid=32126 auid=4294967295 uid=0 gid=6 euid=0 suid=0 fsuid=0 egid=6 sgid=6 fsgid=6 comm="tar" exe="/bin/tar" type=AVC_PATH msg=audit(1123291981.134:1169): path="/var/gdm/.gdmfifo" type=CWD msg=audit(1123291981.134:1169): cwd="/" type=PATH msg=audit(1123291981.134:1169): item=0 name="./var/gdm/.gdmfifo" flags=0 inode=2511528 dev=fd:00 mode=010660 ouid=0 ogid=0 rdev=00:00 Another run, backing up a filesystem containing home directories, displayed errors like this: type=AVC msg=audit(1124070354.148:98547): avc: denied { getattr } for pid=15239 comm="tar" name="licq_fifo" dev=dm-2 ino=390184 scontext=system_u:system_r:amanda_t tcontext=system_u:object_r:user_home_t tclass=fifo_file type=SYSCALL msg=audit(1124070354.148:98547): arch=40000003 syscall=196 success=no exit=-13 a0=8f5c258 a1=bf9ca624 a2=98fff4 a3=9 items=1 pid=15239 auid=4294967295 uid=0 gid=6 euid=0 suid=0 fsuid=0 egid=6 sgid=6 fsgid=6 comm="tar" exe="/bin/tar" type=AVC_PATH msg=audit(1124070354.148:98547): path="/l/home/lsd/breiden/.licq/licq_fifo" type=CWD msg=audit(1124070354.148:98547): cwd="/l/home" type=PATH msg=audit(1124070354.148:98547): item=0 name="./lsd/breiden/.licq/licq_fifo" flags=0 inode=390184 dev=fd:02 mode=010600 ouid=60096 ogid=500 rdev=00:00 There was another entry for another fifo_file, also with context user_home_t. I wonder if something is blocking getattr on fifo_files that shouldn't. Other than that, it appears that most other problems are related with mount points that don't have selinux contexts associated with them. Amanda-started tar needs to be able to at least stat them in order to tell that they're separate filesystems and not descend into them. As a long time Amanda user who just updated my backup server from FC1 to FC4, I'm seeing the same error. The ones about failing to stat various sockets and named pipes are ones I've seen before, and still see when backup up /home for example, and they seem to be non-fatal. The fatal one is ./proc: Cannot savedir: Permission denied which causes tar to exit with status 2. Fixed in selinux-policy-targeted-1.25.4-10 The `savedir' problem is indeed fixed (thanks!), but the messages about being unable to stat the named pipes is a bit annoying, couldn't this be fixed as well? Are you seeing additional AVC messages? Dan No, nothing else. Not even messages like the ones in Comment #2, although tar still reports they failed to stat(). Is it possible to enable logging even for failed events that have logging disabled? Fixed in selinux-policy-*-1.27.1-2.1 Confirmed, thanks! |