Bug 205296 - various amanda issues
various amanda issues
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-05 16:58 EDT by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:04:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-09-05 16:58:18 EDT
A couple selinux amanda issues:

#1 - amanda index files:

Sep  3 09:48:24 saga kernel: audit(1157298504.254:77): avc:  denied  { write }
for  pid=21352 comm="sh" name="_export_home1" dev=dm-2 ino=111289
scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir
Sep  3 09:48:24 saga kernel: audit(1157298504.254:78): avc:  denied  { add_name
} for  pid=21352 comm="sh" name="20060901_0"
scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir
Sep  3 09:48:38 saga kernel: audit(1157298518.341:80): avc:  denied  { write }
for  pid=21352 comm="sort" name="20060901_0" dev=dm-2 ino=111367
scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file

amanda keeps compressed index files in
/var/lib/amanda/<BackupSet>/index/<host>/<disk>.  The index server uncompresses
them into that directory as well (aparently).  Looks like the file context rule
needs a wild card for the <BackupSet>:

/var/lib/amanda/index      gen_context(system_u:object_r:amanda_data_t,s0)

should be something like

/var/lib/amanda/.*/index      gen_context(system_u:object_r:amanda_data_t,s0)


#2 - tape server log file

Sep  3 09:50:53 saga kernel: audit(1157298653.964:85): avc:  denied  { append }
for  pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948
scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file
Sep  3 10:05:06 saga kernel: audit(1157299506.722:92): avc:  denied  {
remove_name } for  pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948
scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir
Sep  3 10:05:06 saga kernel: audit(1157299506.726:93): avc:  denied  { unlink }
for  pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948
scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file

The tape server (started from xinetd) write a log file to
/var/lib/amanda/<BackupSet>/log, same as the normal runs, partially as a lock file.

It also seems to write an info file:

Sep  5 09:38:41 saga kernel: audit(1157470721.476:113): avc:  denied  { write }
for  pid=14700 comm="amidxtaped" name="info" dev=dm-0 ino=32048
scontext=system_u:system_r:amanda_t:s0 tcontext=user_u:object_r:default_t:s0
tclass=file

into whatever directory is specified in amanda.conf as the tape device using the
file driver, e.g.:

tapedev "file:/export/amanda/Data"

I suppose I need to label this directory as amanda_data_t?


#3 - disk changer script:

Sep  3 09:50:54 saga kernel: audit(1157298654.084:86): avc:  denied  { write }
for  pid=21560 comm="chg-disk" name="Data" dev=dm-0 ino=80093
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_config_t:s0 tclass=dir
Sep  3 09:50:54 saga kernel: audit(1157298654.084:87): avc:  denied  { write }
for  pid=21560 comm="chg-disk" name="changer.conf-access" dev=dm-0 ino=80275
scontext=system_u:system_r:amanda_t:s0
tcontext=user_u:object_r:amanda_config_t:s0 tclass=file
Sep  3 09:50:54 saga kernel: audit(1157298654.084:88): avc:  denied  { write }
for  pid=21560 comm="chg-disk" name="changer.conf-clean" dev=dm-0 ino=85549
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_config_t:s0 tclass=file

The disk changer script manages configuration files in a location specified in
amanda.conf.  Unfortunately, this could be anywhere, but
/var/lib/amanda/<BackupSet>/ seems to be a good location.


#4 - also, this context:

/var/lib/amanda/disklist        --     
gen_context(system_u:object_r:amanda_data_t,s0)

seems wrong.  disklist is usually at /etc/amanda/<BackupSet>/disklist.  Also,
it's read only, so I think the current rule for /etc/amanda works and this can
be removed.
Comment 1 Daniel Walsh 2006-09-18 15:01:53 EDT
Fixed in selinux-policy-2.3.14-4
Comment 2 Orion Poplawski 2006-10-26 13:27:02 EDT
Any chance we'll see this in FC5 soon?  Thanks!
Comment 3 Daniel Walsh 2007-03-28 16:04:06 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.