Bug 240926 - need rules for amrecover operations
Summary: need rules for amrecover operations
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-22 22:59 UTC by Orion Poplawski
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-10 19:06:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Orion Poplawski 2007-05-22 22:59:59 UTC
Description of problem:

When running amrecover I get the following avc denials on the server.  The
server is running amanda 2.5.2 which is not yet in Fedora, but should be someday.

May 21 09:58:10 saga kernel: audit(1179763090.581:14): avc:  denied  { write }
for  pid=32275 comm="amindexd" name="_var_lib_mysql" dev=dm-2 ino=223
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_var_lib_t:s0 tclass=dir
May 21 09:58:10 saga kernel: audit(1179763090.583:15): avc:  denied  { add_name
} for  pid=32275 comm="amindexd" name="20070518210003_1"
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_var_lib_t:s0 tclass=dir
May 21 09:58:10 saga kernel: audit(1179763090.583:16): avc:  denied  { create }
for  pid=32275 comm="amindexd" name="20070518210003_1"
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_var_lib_t:s0 tclass=file
May 21 09:58:10 saga kernel: audit(1179763090.647:17): avc:  denied  { write }
for  pid=32470 comm="sort" name="20070518210003_1" dev=dm-2 ino=92
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_var_lib_t:s0 tclass=file
May 21 09:59:41 saga kernel: audit(1179763181.668:18): avc:  denied  { create }
for  pid=32542 comm="amidxtaped" name="log"
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_data_t:s0 tclass=file
May 21 09:59:41 saga kernel: audit(1179763181.680:19): avc:  denied  { append }
for  pid=32542 comm="amidxtaped" name="log" dev=dm-2 ino=111199
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_data_t:s0 tclass=file
May 21 09:59:44 saga kernel: audit(1179763184.880:20): avc:  denied  { unlink }
for  pid=32542 comm="amidxtaped" name="log" dev=dm-2 ino=111199
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_data_t:s0 tclass=file
May 21 10:07:51 saga kernel: audit(1179763671.399:21): avc:  denied  { write }
for  pid=32275 comm="amindexd" name="_var_lib_mysql" dev=dm-2 ino=223
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_var_lib_t:s0 tclass=dir
May 21 10:07:51 saga kernel: audit(1179763671.399:22): avc:  denied  {
remove_name } for  pid=32275 comm="amindexd" name="20070514210004_1" dev=dm-2
ino=231 scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_var_lib_t:s0 tclass=dir
May 21 10:07:51 saga kernel: audit(1179763671.399:23): avc:  denied  { unlink }
for  pid=32275 comm="amindexd" name="20070514210004_1" dev=dm-2 ino=231
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_var_lib_t:s0 tclass=file

Basically the index server (amindexd) uncompresses indexes in
/var/lib/amanda/<BackupSet>/index/<host>/<path>/ and the tape server
(amidxtaped) writes a log file in /var/lib/amanda/<BackupSet>/ just like the
regular amdump programs.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-62.fc6

Comment 1 Daniel Walsh 2007-09-10 14:25:40 UTC
Fixed in selinux-policy-2.4.6-88.fc6

Comment 2 Orion Poplawski 2007-09-10 19:06:50 UTC
I'm resolving because I've moved on to Fedora 7 and this works for me there. 
Thanks!


Note You need to log in before you can comment on or make changes to this bug.