Bug 1527645 - selinux block amanda from running
Summary: selinux block amanda from running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Colin Walters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-19 18:05 UTC by Craig Goodyear
Modified: 2018-01-21 17:50 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-283.21.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-10 02:07:23 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Craig Goodyear 2017-12-19 18:05:08 UTC 
Description of problem:
selinux keeps amanda from running a backup on amanda client.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.17.fc27.noarch
amanda-3.4.5-5.fc27.x86_64


How reproducible:
every time amanda tries to run a backup


Steps to Reproduce:
1. start backup with amanda


Actual results:
backup does not occur


Expected results:
back should run normally


Additional info:
detailed selinux error log:

SELinux is preventing amandad from getattr access on the filesystem /dev/shm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that amandad should be allowed getattr access on the shm filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'amandad' --raw | audit2allow -M my-amandad
# semodule -X 300 -i my-amandad.pp

Additional Information:
Source Context                system_u:system_r:amanda_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm [ filesystem ]
Source                        amandad
Source Path                   amandad
Port                          <Unknown>
Host                          antec.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.17.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     antec.localdomain
Platform                      Linux antec.localdomain 4.13.16-302.fc27.x86_64 #1
                              SMP Thu Nov 30 15:33:36 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-12-06 01:05:15 CST
Last Seen                     2017-12-06 01:05:15 CST
Local ID                      b95ee43e-8c67-4eff-a338-62fdefddbfc1

Raw Audit Messages
type=AVC msg=audit(1512543915.545:1985): avc:  denied  { getattr } for  pid=6477 comm="amandad" name="/" dev="tmpfs" ino=18444 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1


Hash: amandad,amanda_t,tmpfs_t,filesystem,getattr
Comment 1 Fedora Update System 2018-01-05 14:47:05 UTC 
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 2 Fedora Update System 2018-01-05 14:49:37 UTC 
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 3 Fedora Update System 2018-01-06 21:09:08 UTC 
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 4 Fedora Update System 2018-01-10 02:07:23 UTC 
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Craig Goodyear 2018-01-21 17:50:44 UTC 
After the update to selinux-policy-3.13.1-283.21.fc27, amanda is still unable to backup due to the following selinux error:


SELinux is preventing amandad from create access on the file amanda_shm_control-5836-0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that amandad should be allowed create access on the amanda_shm_control-5836-0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'amandad' --raw | audit2allow -M my-amandad
# semodule -X 300 -i my-amandad.pp

Additional Information:
Source Context                system_u:system_r:amanda_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                amanda_shm_control-5836-0 [ file ]
Source                        amandad
Source Path                   amandad
Port                          <Unknown>
Host                          joe.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.21.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     joe.localdomain
Platform                      Linux joe.localdomain 4.14.13-300.fc27.x86_64 #1
                              SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-01-21 01:05:36 CST
Last Seen                     2018-01-21 01:05:36 CST
Local ID                      a2f10abd-8185-40f3-9888-860399f5ed63

Raw Audit Messages
type=AVC msg=audit(1516518336.444:1456): avc:  denied  { create } for  pid=5836 comm="amandad" name="amanda_shm_control-5836-0" scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0


Hash: amandad,amanda_t,tmpfs_t,file,create
Note You need to log in before you can comment on or make changes to this bug.