Bug 965140
Summary: | amandad runs as init_t when amanda.socket is active | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mgrepl, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 12:27:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1004161 |
Description
Milos Malik
2013-05-20 13:46:36 UTC
We need more fixes to add systemd support for amanda. Added. commit a8eedc8fa948f3e6d58c688a99b34fe3bf57c516 Author: Miroslav Grepl <mgrepl> Date: Mon May 20 17:04:04 2013 +0200 Add systemd support for amandad Following AVC appears on my machine when prelink cronjob is running: ---- type=PATH msg=audit(06/05/2013 03:46:46.113:456973) : item=0 name=chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 type=CWD msg=audit(06/05/2013 03:46:46.113:456973) : cwd=/ type=SYSCALL msg=audit(06/05/2013 03:46:46.113:456973) : arch=x86_64 syscall=newfstatat success=no exit=-13(Permission denied) a0=4 a1=0x1ddad8b a2=0x7fff14bd9b60 a3=0x100 items=1 ppid=18628 pid=18637 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=3484 tty=(none) comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/05/2013 03:46:46.113:456973) : avc: denied { getattr } for pid=18637 comm=prelink path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file ---- amanda_exec_t is a "how dare you touch me" type :-) Even following command executed by root triggers an AVC: # matchpathcon /usr/lib64/amanda/chg-lib.sh /usr/lib64/amanda/chg-lib.sh system_u:object_r:amanda_exec_t:s0 # ---- type=PATH msg=audit(06/05/2013 16:20:57.504:1047) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 type=CWD msg=audit(06/05/2013 16:20:57.504:1047) : cwd=/ type=SYSCALL msg=audit(06/05/2013 16:20:57.504:1047) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7fb78009d870 a1=0x7fb788084d00 a2=0x7fb788084d00 a3=0x62696c2f7273752f items=1 ppid=1 pid=2564 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=setroubleshootd exe=/usr/bin/python2.7 subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/05/2013 16:20:57.504:1047) : avc: denied { getattr } for pid=2564 comm=setroubleshootd path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file ---- ---- type=PATH msg=audit(06/05/2013 16:20:53.742:1043) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 type=CWD msg=audit(06/05/2013 16:20:53.742:1043) : cwd=/root type=SYSCALL msg=audit(06/05/2013 16:20:53.742:1043) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7fff2440f315 a1=0x7fff2440d860 a2=0x7fff2440d860 a3=0x1 items=1 ppid=17219 pid=2557 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=7 tty=pts0 comm=matchpathcon exe=/usr/sbin/matchpathcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/05/2013 16:20:53.742:1043) : avc: denied { getattr } for pid=2557 comm=matchpathcon path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file ---- # rpm -q selinux-policy selinux-policy-devel-3.12.1-48.el7.noarch selinux-policy-doc-3.12.1-48.el7.noarch selinux-policy-minimum-3.12.1-48.el7.noarch selinux-policy-3.12.1-48.el7.noarch selinux-policy-targeted-3.12.1-48.el7.noarch selinux-policy-mls-3.12.1-48.el7.noarch selinux-policy-devel-3.12.1-49.el7.noarch selinux-policy-doc-3.12.1-49.el7.noarch selinux-policy-mls-3.12.1-49.el7.noarch selinux-policy-minimum-3.12.1-49.el7.noarch selinux-policy-3.12.1-49.el7.noarch selinux-policy-targeted-3.12.1-49.el7.noarch PID USER CONTEXT COMMAND 26480 amandab+ system_u:system_r:init_t:s0 /usr/sbin/amandad -auth=bsdtcp amdump Ok, there is a bug, definitely. Trying to find what is wrong with the policy. Fixed in selinux-policy-3.12.1-50.fc19 There are no AVCs but amandad runs with incorrect context: PID USER CONTEXT COMMAND 15425 amandab+ system_u:system_r:init_t:s0 /usr/sbin/amandad -auth=bsdtcp amdump # rpm -qa selinux-policy\* selinux-policy-minimum-3.12.1-59.el7.noarch selinux-policy-mls-3.12.1-59.el7.noarch selinux-policy-3.12.1-59.el7.noarch selinux-policy-doc-3.12.1-59.el7.noarch selinux-policy-devel-3.12.1-59.el7.noarch selinux-policy-targeted-3.12.1-59.el7.noarch # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 # I see # ps -efZ |grep amanda system_u:system_r:amanda_t:s0 amandab+ 12238 1 0 10:51 ? 00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump Do you have the same reproduce as before? Could you try to run it by hand? First terminal ======== # tail -f - | ncat 127.0.0.1 10080 tail: warning: following standard input indefinitely is ineffective Second terminal ========== # ps -efZ | grep amanda system_u:system_r:init_t:s0 amandab+ 9680 1 0 10:36 ? 00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9682 9629 0 10:37 pts/1 00:00:00 grep --color=auto amanda # Milos, do you have a machine with RHEL7 where I could try to test it. I am not able to reproduce it on my virtual machine. Petr, do you see this problem? Currently not. I see the problem first time. For sure I added guy from systemd team. Well I nstalled selinux and amanda packages on my RHEL-7 virtual machine and installed packages are: amanda-client-3.3.3-4.el7.x86_64 amanda-3.3.3-4.el7.x86_64 amanda-server-3.3.3-4.el7.x86_64 selinux-policy-3.12.1-65.el7.noarch selinux-policy-targeted-3.12.1-65.el7.noarch libselinux-2.1.13-16.el7.x86_64 libselinux-python-2.1.13-16.el7.x86_64 libselinux-utils-2.1.13-16.el7.x86_64 # ps -efZ | grep amanda system_u:system_r:init_t:s0 amandab+ 2815 1 0 08:55 ? 00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2817 2752 0 08:56 pts/1 00:00:00 grep --color=auto amanda # I can send you IP address of my VM RHEL-7 machine over ping. Yes, it would be great. Does it work with # chcon -t amanda_exec_t /usr/sbin/amandad Actually no. # ls -Z /usr/sbin/amandad lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /usr/sbin/amandad -> /usr/lib64/amanda/amandad # ls -Z /usr/lib64/amanda/amandad -rwxr-xr-x. root root system_u:object_r:amanda_exec_t:s0 /usr/lib64/amanda/amandad This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |