Bug 193432 - selinux turned on forces amanda to output unusual and unexpected error message
Summary: selinux turned on forces amanda to output unusual and unexpected error message
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-28 07:44 UTC by Eduard Vopicka
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-14 15:17:55 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Eduard Vopicka 2006-05-28 07:44:41 UTC
Description of problem:

During backup of FC5 box with amanda, the dum program produces strange message.
Because of turning selinux OFF seems to make the message disappear, I am
reporting this as problem with selinux and not with amanda. The message is

"? device-mapper: version ioctl failed: Permission denied".


Version-Release number of selected component (if applicable):

FC5 box daily updated, so all versions are the latest. The bug persists during
several selinux updates.

How reproducible:

Remotely backup filesystem on FC5 box using amanda.


Steps to Reproduce:
1.
2.
3.
  
Actual results:

FAILED AND STRANGE DUMP DETAILS:

/-- srv04 sda5 lev 1 STRANGE
sendbackup: start [srv04:sda5 level 1]
sendbackup: info BACKUP=/sbin/dump
sendbackup: info RECOVER_CMD=/usr/bin/gzip -dc |/sbin/restore -f... -
sendbackup: info COMPRESS_SUFFIX=.gz
sendbackup: info end
? device-mapper: version ioctl failed: Permission denied
| DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
| DUMP: Date of last level 0 dump: Thu May 25 01:14:27 2006
| DUMP: Dumping /dev/sda5 (/home) to standard output
| DUMP: Label: /home
| DUMP: Writing 10 Kilobyte records
| DUMP: mapping (Pass I) [regular files]
| DUMP: mapping (Pass II) [directories]
| DUMP: estimated 705 blocks.
| DUMP: Volume 1 started with block 1 at: Fri May 26 01:14:08 2006
| DUMP: dumping (Pass III) [directories]
| DUMP: dumping (Pass IV) [regular files]
| DUMP: Volume 1 completed at: Fri May 26 01:14:09 2006
| DUMP: Volume 1 710 blocks (0.69MB)
| DUMP: Volume 1 took 0:00:01
| DUMP: Volume 1 transfer rate: 710 kB/s
| DUMP: 710 blocks (0.69MB)
| DUMP: finished in 1 seconds, throughput 710 kBytes/sec
| DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
| DUMP: Date this dump completed: Fri May 26 01:14:09 2006
| DUMP: Average transfer rate: 710 kB/s
| DUMP: DUMP IS DONE
sendbackup: size 355
sendbackup: end



Expected results:

No message about failed ioctl.

Additional info:

Changing username/group to root in xinetd configuration for amanda does not
help, it is still necessary to turn off selinux to make the error message disapper.

Comment 1 Daniel Walsh 2006-06-15 22:32:56 UTC
Are you seeing AVC messages in /var/log/messages or /var/log/audit/audit.log?

Comment 2 Eduard Vopicka 2006-12-13 12:58:36 UTC
(In reply to comment #0)
> Description of problem:
> 
> During backup of FC5 box with amanda, the dum program produces strange message.
> Because of turning selinux OFF seems to make the message disappear, I am
> reporting this as problem with selinux and not with amanda. The message is
> 
> "? device-mapper: version ioctl failed: Permission denied".
> 
> 
> Version-Release number of selected component (if applicable):
> 
> FC5 box daily updated, so all versions are the latest. The bug persists during
> several selinux updates.
> 
> How reproducible:
> 
> Remotely backup filesystem on FC5 box using amanda.
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
>   
> Actual results:
> 
> FAILED AND STRANGE DUMP DETAILS:
> 
> /-- srv04 sda5 lev 1 STRANGE
> sendbackup: start [srv04:sda5 level 1]
> sendbackup: info BACKUP=/sbin/dump
> sendbackup: info RECOVER_CMD=/usr/bin/gzip -dc |/sbin/restore -f... -
> sendbackup: info COMPRESS_SUFFIX=.gz
> sendbackup: info end
> ? device-mapper: version ioctl failed: Permission denied
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date of last level 0 dump: Thu May 25 01:14:27 2006
> | DUMP: Dumping /dev/sda5 (/home) to standard output
> | DUMP: Label: /home
> | DUMP: Writing 10 Kilobyte records
> | DUMP: mapping (Pass I) [regular files]
> | DUMP: mapping (Pass II) [directories]
> | DUMP: estimated 705 blocks.
> | DUMP: Volume 1 started with block 1 at: Fri May 26 01:14:08 2006
> | DUMP: dumping (Pass III) [directories]
> | DUMP: dumping (Pass IV) [regular files]
> | DUMP: Volume 1 completed at: Fri May 26 01:14:09 2006
> | DUMP: Volume 1 710 blocks (0.69MB)
> | DUMP: Volume 1 took 0:00:01
> | DUMP: Volume 1 transfer rate: 710 kB/s
> | DUMP: 710 blocks (0.69MB)
> | DUMP: finished in 1 seconds, throughput 710 kBytes/sec
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date this dump completed: Fri May 26 01:14:09 2006
> | DUMP: Average transfer rate: 710 kB/s
> | DUMP: DUMP IS DONE
> sendbackup: size 355
> sendbackup: end
> 
> 
> 
> Expected results:
> 
> No message about failed ioctl.
> 
> Additional info:
> 
> Changing username/group to root in xinetd configuration for amanda does not
> help, it is still necessary to turn off selinux to make the error message
disapper.

(In reply to comment #0)
> Description of problem:
> 
> During backup of FC5 box with amanda, the dum program produces strange message.
> Because of turning selinux OFF seems to make the message disappear, I am
> reporting this as problem with selinux and not with amanda. The message is
> 
> "? device-mapper: version ioctl failed: Permission denied".
> 
> 
> Version-Release number of selected component (if applicable):
> 
> FC5 box daily updated, so all versions are the latest. The bug persists during
> several selinux updates.
> 
> How reproducible:
> 
> Remotely backup filesystem on FC5 box using amanda.
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
>   
> Actual results:
> 
> FAILED AND STRANGE DUMP DETAILS:
> 
> /-- srv04 sda5 lev 1 STRANGE
> sendbackup: start [srv04:sda5 level 1]
> sendbackup: info BACKUP=/sbin/dump
> sendbackup: info RECOVER_CMD=/usr/bin/gzip -dc |/sbin/restore -f... -
> sendbackup: info COMPRESS_SUFFIX=.gz
> sendbackup: info end
> ? device-mapper: version ioctl failed: Permission denied
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date of last level 0 dump: Thu May 25 01:14:27 2006
> | DUMP: Dumping /dev/sda5 (/home) to standard output
> | DUMP: Label: /home
> | DUMP: Writing 10 Kilobyte records
> | DUMP: mapping (Pass I) [regular files]
> | DUMP: mapping (Pass II) [directories]
> | DUMP: estimated 705 blocks.
> | DUMP: Volume 1 started with block 1 at: Fri May 26 01:14:08 2006
> | DUMP: dumping (Pass III) [directories]
> | DUMP: dumping (Pass IV) [regular files]
> | DUMP: Volume 1 completed at: Fri May 26 01:14:09 2006
> | DUMP: Volume 1 710 blocks (0.69MB)
> | DUMP: Volume 1 took 0:00:01
> | DUMP: Volume 1 transfer rate: 710 kB/s
> | DUMP: 710 blocks (0.69MB)
> | DUMP: finished in 1 seconds, throughput 710 kBytes/sec
> | DUMP: Date of this level 1 dump: Fri May 26 01:14:01 2006
> | DUMP: Date this dump completed: Fri May 26 01:14:09 2006
> | DUMP: Average transfer rate: 710 kB/s
> | DUMP: DUMP IS DONE
> sendbackup: size 355
> sendbackup: end
> 
> 
> 
> Expected results:
> 
> No message about failed ioctl.
> 
> Additional info:
> 
> Changing username/group to root in xinetd configuration for amanda does not
> help, it is still necessary to turn off selinux to make the error message
disapper.

(In reply to comment #1)
> Are you seeing AVC messages in /var/log/messages or /var/log/audit/audit.log?


Hello.

Sorry fur delay in answering.

Yes, there were some messages in logfiles, but please read below.

Since I have reported this problem, I have encountered the same behavior on
about five FC5/FC6 boxes. And it appears that running "fixfiles relabel" is
enough to fix the problem. My investigation shows that all these systems were
run with selinux turned off for some time by less experienced local admins and
this and some copy operations with seliinux turned off is probably the source of
the problem. Then, when booted with selinux in permissive mode, it started to
complain.

Sorry for creating this false bugreport - IMHO it is time to close it with
NOTABUG status.

Brgds,

Ed




Comment 3 Daniel Walsh 2007-02-14 15:17:55 UTC
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy


Note You need to log in before you can comment on or make changes to this bug.