A couple selinux amanda issues: #1 - amanda index files: Sep 3 09:48:24 saga kernel: audit(1157298504.254:77): avc: denied { write } for pid=21352 comm="sh" name="_export_home1" dev=dm-2 ino=111289 scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=dir Sep 3 09:48:24 saga kernel: audit(1157298504.254:78): avc: denied { add_name } for pid=21352 comm="sh" name="20060901_0" scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=dir Sep 3 09:48:38 saga kernel: audit(1157298518.341:80): avc: denied { write } for pid=21352 comm="sort" name="20060901_0" dev=dm-2 ino=111367 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file amanda keeps compressed index files in /var/lib/amanda/<BackupSet>/index/<host>/<disk>. The index server uncompresses them into that directory as well (aparently). Looks like the file context rule needs a wild card for the <BackupSet>: /var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0) should be something like /var/lib/amanda/.*/index gen_context(system_u:object_r:amanda_data_t,s0) #2 - tape server log file Sep 3 09:50:53 saga kernel: audit(1157298653.964:85): avc: denied { append } for pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file Sep 3 10:05:06 saga kernel: audit(1157299506.722:92): avc: denied { remove_name } for pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948 scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=dir Sep 3 10:05:06 saga kernel: audit(1157299506.726:93): avc: denied { unlink } for pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file The tape server (started from xinetd) write a log file to /var/lib/amanda/<BackupSet>/log, same as the normal runs, partially as a lock file. It also seems to write an info file: Sep 5 09:38:41 saga kernel: audit(1157470721.476:113): avc: denied { write } for pid=14700 comm="amidxtaped" name="info" dev=dm-0 ino=32048 scontext=system_u:system_r:amanda_t:s0 tcontext=user_u:object_r:default_t:s0 tclass=file into whatever directory is specified in amanda.conf as the tape device using the file driver, e.g.: tapedev "file:/export/amanda/Data" I suppose I need to label this directory as amanda_data_t? #3 - disk changer script: Sep 3 09:50:54 saga kernel: audit(1157298654.084:86): avc: denied { write } for pid=21560 comm="chg-disk" name="Data" dev=dm-0 ino=80093 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:amanda_config_t:s0 tclass=dir Sep 3 09:50:54 saga kernel: audit(1157298654.084:87): avc: denied { write } for pid=21560 comm="chg-disk" name="changer.conf-access" dev=dm-0 ino=80275 scontext=system_u:system_r:amanda_t:s0 tcontext=user_u:object_r:amanda_config_t:s0 tclass=file Sep 3 09:50:54 saga kernel: audit(1157298654.084:88): avc: denied { write } for pid=21560 comm="chg-disk" name="changer.conf-clean" dev=dm-0 ino=85549 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:amanda_config_t:s0 tclass=file The disk changer script manages configuration files in a location specified in amanda.conf. Unfortunately, this could be anywhere, but /var/lib/amanda/<BackupSet>/ seems to be a good location. #4 - also, this context: /var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0) seems wrong. disklist is usually at /etc/amanda/<BackupSet>/disklist. Also, it's read only, so I think the current rule for /etc/amanda works and this can be removed.
Fixed in selinux-policy-2.3.14-4
Any chance we'll see this in FC5 soon? Thanks!
Closing bugs