Description of problem: amanda dump breaks after local running of tar Version-Release number of selected component (if applicable): amanda-3.4.1-1.fc25.x86_64 (server and client) How reproducible: always Steps to Reproduce: 1. run amdump Disklist: host /boot comp-root-tar-server host /etc comp-root-tar-server host /home comp-user-tar-server host /opt comp-user-tar-server host /root comp-root-tar-server host /usr comp-root-tar-server host /var comp-root-tar-server Actual results: Jan 22 21:17:09 **** python3[8092]: SELinux is preventing amandad from getattr access on the filesystem /run/user/1001. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that amandad should be allowed getattr access on the 1001 filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'amandad' --raw | audit2allow -M my-amandad # semodule -X 300 -i my-amandad.pp Expected results: working Additional info: type=AVC msg=audit(1485116215.529:702): avc: denied { getattr } for pid=11788 comm="amandad" name="/" dev="tmpfs" ino=31004 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Found more directories: python3: SELinux is preventing amandad from getattr access on the filesystem /dev/shm. python3: SELinux is preventing amandad from getattr access on the filesystem /run. python3: SELinux is preventing amandad from getattr access on the filesystem /run/user/1001. python3: SELinux is preventing amandad from getattr access on the filesystem /sys/fs/cgroup. python3: SELinux is preventing amandad from getattr access on the filesystem /tmp.
More rules may be needed, but this is a good start: # cat bz1415506.cil ( allow amanda_t tmpfs_t ( filesystem ( getattr ))) # semodule -i bz1415506.cil #
To see all SELinux denials that are generated by your scenario, it would be better to switch the amanda_t domain to permissive and re-run your scenario: # dnf -y -q install /usr/sbin/semanage # semanage permissive -a amanda_t (re-run your scenario) # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent
Created attachment 1243752 [details] ausearch result attached ausearch result as requested ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i |grep amanda |grep "23.01" | cut -c 51- | sort | uniq >/tmp/amanda-selinux.txt
Could you help us, Lukas?
And if someone is looking into the amanda policy, https://bugzilla.redhat.com/show_bug.cgi?id=1414140 is another open ticket. Also, this ticket should be open against the selinux-policy component, not amanda, since there's nothing that can be changed in amanda to fix this. But I'll let Josef reassign it if he wants to do that.
Reassign to selinux-policy. Feel free to change it in case, it should be solved by someone else.
selinux-policy-3.13.1-225.11.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b
selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b
selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.