Bug 1415506 - SElinux prevents amanda dumps
Summary: SElinux prevents amanda dumps
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-22 20:23 UTC by Peter Bieringer
Modified: 2017-07-17 19:08 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-225.11.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-28 08:50:05 UTC


Attachments (Terms of Use)
ausearch result (5.16 KB, text/plain)
2017-01-23 19:21 UTC, Peter Bieringer
no flags Details

Description Peter Bieringer 2017-01-22 20:23:35 UTC
Description of problem:
amanda dump breaks after local running of tar

Version-Release number of selected component (if applicable):
amanda-3.4.1-1.fc25.x86_64 (server and client)

How reproducible:
always


Steps to Reproduce:
1. run amdump

Disklist:
host   /boot              comp-root-tar-server
host   /etc               comp-root-tar-server
host   /home              comp-user-tar-server
host   /opt               comp-user-tar-server
host   /root              comp-root-tar-server
host   /usr               comp-root-tar-server
host   /var               comp-root-tar-server


Actual results:

Jan 22 21:17:09 **** python3[8092]: SELinux is preventing amandad from getattr access on the filesystem /run/user/1001.
                                                        
                                                        *****  Plugin catchall (100. confidence) suggests   **************************
                                                        
                                                        If you believe that amandad should be allowed getattr access on the 1001 filesystem by default.
                                                        Then you should report this as a bug.
                                                        You can generate a local policy module to allow this access.
                                                        Do
                                                        allow this access for now by executing:
                                                        # ausearch -c 'amandad' --raw | audit2allow -M my-amandad
                                                        # semodule -X 300 -i my-amandad.pp
                                                        

Expected results:

working


Additional info:

type=AVC msg=audit(1485116215.529:702): avc:  denied  { getattr } for  pid=11788 comm="amandad" name="/" dev="tmpfs" ino=31004 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Found more directories:

python3: SELinux is preventing amandad from getattr access on the filesystem /dev/shm.
python3: SELinux is preventing amandad from getattr access on the filesystem /run.
python3: SELinux is preventing amandad from getattr access on the filesystem /run/user/1001.
python3: SELinux is preventing amandad from getattr access on the filesystem /sys/fs/cgroup.
python3: SELinux is preventing amandad from getattr access on the filesystem /tmp.

Comment 2 Milos Malik 2017-01-23 07:38:22 UTC
More rules may be needed, but this is a good start:

# cat bz1415506.cil 
( allow amanda_t tmpfs_t ( filesystem ( getattr )))

# semodule -i bz1415506.cil 
#

Comment 3 Milos Malik 2017-01-23 07:47:02 UTC
To see all SELinux denials that are generated by your scenario, it would be better to switch the amanda_t domain to permissive and re-run your scenario:

# dnf -y -q install /usr/sbin/semanage
# semanage permissive -a amanda_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts recent

Comment 4 Peter Bieringer 2017-01-23 19:21:39 UTC
Created attachment 1243752 [details]
ausearch result

attached ausearch result as requested

ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i  |grep amanda |grep "23.01" | cut -c 51- | sort | uniq >/tmp/amanda-selinux.txt

Comment 5 Milos Malik 2017-01-24 16:42:39 UTC
Could you help us, Lukas?

Comment 6 Jason Tibbitts 2017-01-24 16:52:49 UTC
And if someone is looking into the amanda policy, https://bugzilla.redhat.com/show_bug.cgi?id=1414140 is another open ticket.

Also, this ticket should be open against the selinux-policy component, not amanda, since there's nothing that can be changed in amanda to fix this.  But I'll let Josef reassign it if he wants to do that.

Comment 7 Josef Ridky 2017-01-24 19:39:13 UTC
Reassign to selinux-policy. 
Feel free to change it in case, it should be solved by someone else.

Comment 8 Fedora Update System 2017-02-27 11:29:48 UTC
selinux-policy-3.13.1-225.11.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b

Comment 9 Fedora Update System 2017-02-27 23:52:11 UTC
selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b

Comment 10 Fedora Update System 2017-02-28 08:50:05 UTC
selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.