Bug 193432 - selinux turned on forces amanda to output unusual and unexpected error message
selinux turned on forces amanda to output unusual and unexpected error message
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-28 03:44 EDT by Eduard Vopicka
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-14 10:17:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eduard Vopicka 2006-05-28 03:44:41 EDT
Description of problem:

During backup of FC5 box with amanda, the dum program produces strange message.
Because of turning selinux OFF seems to make the message disappear, I am
reporting this as problem with selinux and not with amanda. The message is

"? device-mapper: version ioctl failed: Permission denied".


Version-Release number of selected component (if applicable):

FC5 box daily updated, so all versions are the latest. The bug persists during
several selinux updates.

How reproducible:

Remotely backup filesystem on FC5 box using amanda.


Steps to Reproduce:
1.
2.
3.
  
Actual results:

FAILED AND STRANGE DUMP DETAILS:

/-- srv04 sda5 lev 1 STRANGE
sendbackup: start [srv04:sda5 level 1]
sendbackup: info BACKUP=/sbin/dump
sendbackup: info RECOVER_CMD=/usr/bin/gzip -dc |/sbin/restore -f... -
sendbackup: info COMPRESS_SUFFIX=.gz
sendbackup: info end
? device-mapper: version ioctl failed: Permission denied
| DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
| DUMP: Date of last level 0 dump: Thu May 25 01:14:27 2006
| DUMP: Dumping /dev/sda5 (/home) to standard output
| DUMP: Label: /home
| DUMP: Writing 10 Kilobyte records
| DUMP: mapping (Pass I) [regular files]
| DUMP: mapping (Pass II) [directories]
| DUMP: estimated 705 blocks.
| DUMP: Volume 1 started with block 1 at: Fri May 26 01:14:08 2006
| DUMP: dumping (Pass III) [directories]
| DUMP: dumping (Pass IV) [regular files]
| DUMP: Volume 1 completed at: Fri May 26 01:14:09 2006
| DUMP: Volume 1 710 blocks (0.69MB)
| DUMP: Volume 1 took 0:00:01
| DUMP: Volume 1 transfer rate: 710 kB/s
| DUMP: 710 blocks (0.69MB)
| DUMP: finished in 1 seconds, throughput 710 kBytes/sec
| DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
| DUMP: Date this dump completed: Fri May 26 01:14:09 2006
| DUMP: Average transfer rate: 710 kB/s
| DUMP: DUMP IS DONE
sendbackup: size 355
sendbackup: end



Expected results:

No message about failed ioctl.

Additional info:

Changing username/group to root in xinetd configuration for amanda does not
help, it is still necessary to turn off selinux to make the error message disapper.
Comment 1 Daniel Walsh 2006-06-15 18:32:56 EDT
Are you seeing AVC messages in /var/log/messages or /var/log/audit/audit.log?
Comment 2 Eduard Vopicka 2006-12-13 07:58:36 EST
(In reply to comment #0)
> Description of problem:
> 
> During backup of FC5 box with amanda, the dum program produces strange message.
> Because of turning selinux OFF seems to make the message disappear, I am
> reporting this as problem with selinux and not with amanda. The message is
> 
> "? device-mapper: version ioctl failed: Permission denied".
> 
> 
> Version-Release number of selected component (if applicable):
> 
> FC5 box daily updated, so all versions are the latest. The bug persists during
> several selinux updates.
> 
> How reproducible:
> 
> Remotely backup filesystem on FC5 box using amanda.
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
>   
> Actual results:
> 
> FAILED AND STRANGE DUMP DETAILS:
> 
> /-- srv04 sda5 lev 1 STRANGE
> sendbackup: start [srv04:sda5 level 1]
> sendbackup: info BACKUP=/sbin/dump
> sendbackup: info RECOVER_CMD=/usr/bin/gzip -dc |/sbin/restore -f... -
> sendbackup: info COMPRESS_SUFFIX=.gz
> sendbackup: info end
> ? device-mapper: version ioctl failed: Permission denied
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date of last level 0 dump: Thu May 25 01:14:27 2006
> | DUMP: Dumping /dev/sda5 (/home) to standard output
> | DUMP: Label: /home
> | DUMP: Writing 10 Kilobyte records
> | DUMP: mapping (Pass I) [regular files]
> | DUMP: mapping (Pass II) [directories]
> | DUMP: estimated 705 blocks.
> | DUMP: Volume 1 started with block 1 at: Fri May 26 01:14:08 2006
> | DUMP: dumping (Pass III) [directories]
> | DUMP: dumping (Pass IV) [regular files]
> | DUMP: Volume 1 completed at: Fri May 26 01:14:09 2006
> | DUMP: Volume 1 710 blocks (0.69MB)
> | DUMP: Volume 1 took 0:00:01
> | DUMP: Volume 1 transfer rate: 710 kB/s
> | DUMP: 710 blocks (0.69MB)
> | DUMP: finished in 1 seconds, throughput 710 kBytes/sec
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date this dump completed: Fri May 26 01:14:09 2006
> | DUMP: Average transfer rate: 710 kB/s
> | DUMP: DUMP IS DONE
> sendbackup: size 355
> sendbackup: end
> 
> 
> 
> Expected results:
> 
> No message about failed ioctl.
> 
> Additional info:
> 
> Changing username/group to root in xinetd configuration for amanda does not
> help, it is still necessary to turn off selinux to make the error message
disapper.

(In reply to comment #0)
> Description of problem:
> 
> During backup of FC5 box with amanda, the dum program produces strange message.
> Because of turning selinux OFF seems to make the message disappear, I am
> reporting this as problem with selinux and not with amanda. The message is
> 
> "? device-mapper: version ioctl failed: Permission denied".
> 
> 
> Version-Release number of selected component (if applicable):
> 
> FC5 box daily updated, so all versions are the latest. The bug persists during
> several selinux updates.
> 
> How reproducible:
> 
> Remotely backup filesystem on FC5 box using amanda.
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
>   
> Actual results:
> 
> FAILED AND STRANGE DUMP DETAILS:
> 
> /-- srv04 sda5 lev 1 STRANGE
> sendbackup: start [srv04:sda5 level 1]
> sendbackup: info BACKUP=/sbin/dump
> sendbackup: info RECOVER_CMD=/usr/bin/gzip -dc |/sbin/restore -f... -
> sendbackup: info COMPRESS_SUFFIX=.gz
> sendbackup: info end
> ? device-mapper: version ioctl failed: Permission denied
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date of last level 0 dump: Thu May 25 01:14:27 2006
> | DUMP: Dumping /dev/sda5 (/home) to standard output
> | DUMP: Label: /home
> | DUMP: Writing 10 Kilobyte records
> | DUMP: mapping (Pass I) [regular files]
> | DUMP: mapping (Pass II) [directories]
> | DUMP: estimated 705 blocks.
> | DUMP: Volume 1 started with block 1 at: Fri May 26 01:14:08 2006
> | DUMP: dumping (Pass III) [directories]
> | DUMP: dumping (Pass IV) [regular files]
> | DUMP: Volume 1 completed at: Fri May 26 01:14:09 2006
> | DUMP: Volume 1 710 blocks (0.69MB)
> | DUMP: Volume 1 took 0:00:01
> | DUMP: Volume 1 transfer rate: 710 kB/s
> | DUMP: 710 blocks (0.69MB)
> | DUMP: finished in 1 seconds, throughput 710 kBytes/sec
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date this dump completed: Fri May 26 01:14:09 2006
> | DUMP: Average transfer rate: 710 kB/s
> | DUMP: DUMP IS DONE
> sendbackup: size 355
> sendbackup: end
> 
> 
> 
> Expected results:
> 
> No message about failed ioctl.
> 
> Additional info:
> 
> Changing username/group to root in xinetd configuration for amanda does not
> help, it is still necessary to turn off selinux to make the error message
disapper.

(In reply to comment #1)
> Are you seeing AVC messages in /var/log/messages or /var/log/audit/audit.log?


Hello.

Sorry fur delay in answering.

Yes, there were some messages in logfiles, but please read below.

Since I have reported this problem, I have encountered the same behavior on
about five FC5/FC6 boxes. And it appears that running "fixfiles relabel" is
enough to fix the problem. My investigation shows that all these systems were
run with selinux turned off for some time by less experienced local admins and
this and some copy operations with seliinux turned off is probably the source of
the problem. Then, when booted with selinux in permissive mode, it started to
complain.

Sorry for creating this false bugreport - IMHO it is time to close it with
NOTABUG status.

Brgds,

Ed


Comment 3 Daniel Walsh 2007-02-14 10:17:55 EST
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy

Note You need to log in before you can comment on or make changes to this bug.