Bug 970306

Summary: Excessive restrictions on amanda_exec_t
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-52.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-08 03:03:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2013-06-03 21:59:00 UTC
Description of problem:

My backup script cannot access this file:

/etc/cron.daily/0backup:

rsync: readlink_stat("/usr/local/lib/amanda/exclude.gtar") failed: Permission denied (13)
IO error encountered -- skipping file deletion
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1052) [sender=3.0.9]

In fact, I can access it as root:

[root@vmf19 ~]# ls -lZ /usr/local/lib/amanda/exclude.gtar
ls: cannot access /usr/local/lib/amanda/exclude.gtar: Permission denied

Denials:

type=AVC msg=audit(1370296081.887:525): avc:  denied  { getattr } for  pid=3137 comm="0backup" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
type=AVC msg=audit(1370296083.390:526): avc:  denied  { getattr } for  pid=3147 comm="rsync" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
type=AVC msg=audit(1370296485.910:535): avc:  denied  { getattr } for  pid=4347 comm="restorecon" name="exclude.gtar" dev="vda3" ino=15037 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
type=AVC msg=audit(1370296497.496:536): avc:  denied  { getattr } for  pid=4354 comm="ls" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-47.fc19.noarch

This appears to have been introduced fairly recently.

Comment 1 Miroslav Grepl 2013-06-04 14:51:09 UTC
#============= system_cronjob_t ==============

#!!!! This avc is allowed in the current policy
allow system_cronjob_t amanda_exec_t:file getattr;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t amanda_exec_t:file getattr;

Comment 2 Fedora Update System 2013-06-05 19:01:25 UTC
selinux-policy-3.12.1-48.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-48.fc19

Comment 3 Fedora Update System 2013-06-06 17:31:28 UTC
Package selinux-policy-3.12.1-48.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-48.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-10204/selinux-policy-3.12.1-48.fc19
then log in and leave karma (feedback).

Comment 4 Orion Poplawski 2013-06-06 19:11:37 UTC
I still see the same problem with -48.

Comment 5 Fedora Update System 2013-06-08 03:33:43 UTC
selinux-policy-3.12.1-48.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Miroslav Grepl 2013-06-11 07:51:21 UTC
Orion, 
something is wrong. Could you try to install the latest builds

http://koji.fedoraproject.org/koji/buildinfo?buildID=425126

and see if the update blows up.

Comment 7 Miroslav Grepl 2013-06-11 12:06:17 UTC
Ok, there is a bug in the policy.

Comment 8 Miroslav Grepl 2013-06-11 12:22:19 UTC
Fixed in selinux-policy-3.12.1-50.fc19

Comment 9 Orion Poplawski 2013-06-11 21:10:05 UTC
-50.fc19 looks good, thanks!

Comment 10 Fedora Update System 2013-06-14 07:23:39 UTC
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19

Comment 11 Fedora Update System 2013-06-15 03:06:40 UTC
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Orion Poplawski 2013-09-09 15:59:12 UTC
This seems to have returned in selinux-policy-3.12.1-76.fc21.noarch

Comment 13 Miroslav Grepl 2013-09-10 10:14:26 UTC
Added fixes.

commit 5bf8c1628f71b54269d990fc62906a3f9c35bc06
Author: Miroslav Grepl <mgrepl>
Date:   Tue Sep 10 12:13:28 2013 +0200

    amanda_exec_t needs to be executable file

Comment 14 Orion Poplawski 2013-09-11 15:54:52 UTC
Still present in -77.1.fc21.  Can we please not close until a working version is confirmed to be available

Comment 15 Daniel Walsh 2013-09-11 17:53:30 UTC
Orion the way Rawhide is handled is to close the bugzilla when developer thinks rawhide is fixed.

Comment 16 Daniel Walsh 2013-09-11 17:57:50 UTC
Fixed in selinux-policy-3.12.1-80.fc21

Comment 17 Orion Poplawski 2013-09-11 17:59:23 UTC
Yeah, that's right of course.  Didn't get my bike ride to work today which must have made me a little grumpy.

Comment 18 Orion Poplawski 2013-09-12 15:29:43 UTC
label is still amanda_exec_t, but nothing complains any more:

[root@vmrawhide ~]# restorecon -r -v /usr/local
[root@vmrawhide ~]# ls -lZ /usr/local/lib/amanda/exclude.gtar 
-rw-r--r--. root root system_u:object_r:amanda_exec_t:s0 /usr/local/lib/amanda/exclude.gtar

thanks.  Now need to propagate to F19.

Comment 19 Miroslav Grepl 2013-09-13 07:33:30 UTC
Lukas, 
what does the latest F19 policy show you

# cat /tmp/log |audit2allow


#============= system_cronjob_t ==============

#!!!! This avc is allowed in the current policy
allow system_cronjob_t amanda_exec_t:file getattr;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t amanda_exec_t:file getattr;

Comment 20 Lukas Vrabec 2013-09-13 13:23:34 UTC
Miroslav, 

$ audit2allow -i avc 


#============= system_cronjob_t ==============

#!!!! This avc is allowed in the current policy
allow system_cronjob_t amanda_exec_t:file getattr;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t amanda_exec_t:file getattr;

Comment 21 Lukas Vrabec 2013-09-13 13:46:54 UTC
$ rpm -q selinux-policy
selinux-policy-3.12.1-74.3.fc19.noarch

Comment 22 Orion Poplawski 2014-08-08 03:03:38 UTC
Hopefully fixed now.