Bug 970306
Summary: | Excessive restrictions on amanda_exec_t | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-52.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-08-08 03:03:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2013-06-03 21:59:00 UTC
#============= system_cronjob_t ============== #!!!! This avc is allowed in the current policy allow system_cronjob_t amanda_exec_t:file getattr; #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t amanda_exec_t:file getattr; selinux-policy-3.12.1-48.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-48.fc19 Package selinux-policy-3.12.1-48.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-48.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-10204/selinux-policy-3.12.1-48.fc19 then log in and leave karma (feedback). I still see the same problem with -48. selinux-policy-3.12.1-48.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Orion, something is wrong. Could you try to install the latest builds http://koji.fedoraproject.org/koji/buildinfo?buildID=425126 and see if the update blows up. Ok, there is a bug in the policy. Fixed in selinux-policy-3.12.1-50.fc19 -50.fc19 looks good, thanks! selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19 selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. This seems to have returned in selinux-policy-3.12.1-76.fc21.noarch Added fixes. commit 5bf8c1628f71b54269d990fc62906a3f9c35bc06 Author: Miroslav Grepl <mgrepl> Date: Tue Sep 10 12:13:28 2013 +0200 amanda_exec_t needs to be executable file Still present in -77.1.fc21. Can we please not close until a working version is confirmed to be available Orion the way Rawhide is handled is to close the bugzilla when developer thinks rawhide is fixed. Fixed in selinux-policy-3.12.1-80.fc21 Yeah, that's right of course. Didn't get my bike ride to work today which must have made me a little grumpy. label is still amanda_exec_t, but nothing complains any more: [root@vmrawhide ~]# restorecon -r -v /usr/local [root@vmrawhide ~]# ls -lZ /usr/local/lib/amanda/exclude.gtar -rw-r--r--. root root system_u:object_r:amanda_exec_t:s0 /usr/local/lib/amanda/exclude.gtar thanks. Now need to propagate to F19. Lukas, what does the latest F19 policy show you # cat /tmp/log |audit2allow #============= system_cronjob_t ============== #!!!! This avc is allowed in the current policy allow system_cronjob_t amanda_exec_t:file getattr; #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t amanda_exec_t:file getattr; Miroslav, $ audit2allow -i avc #============= system_cronjob_t ============== #!!!! This avc is allowed in the current policy allow system_cronjob_t amanda_exec_t:file getattr; #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t amanda_exec_t:file getattr; $ rpm -q selinux-policy selinux-policy-3.12.1-74.3.fc19.noarch Hopefully fixed now. |