Bug 450530 - selinux-policy-targeted blocking amanda client operation
selinux-policy-targeted blocking amanda client operation
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
Blocks: 498596
  Show dependency treegraph
Reported: 2008-06-09 08:31 EDT by Julian C. Dunn
Modified: 2009-05-01 08:25 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 498596 (view as bug list)
Last Closed: 2008-11-17 17:04:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Julian C. Dunn 2008-06-09 08:31:32 EDT
Description of problem:

setroubleshoot browser reported the following problem on a system being backed
up by amanda:


SELinux is preventing killpgrp (amanda_t) "signal" to <Unknown> (fsadm_t).

Detailed Description:

SELinux denied access requested by killpgrp. It is not expected that this access
is required by killpgrp and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:amanda_t:s0-s0:c0.c1023
Target Context                system_u:system_r:fsadm_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        killpgrp
Source Path                   /usr/lib/amanda/killpgrp
Port                          <Unknown>
Host                          jupiter.acf.aquezada.com
Source RPM Packages           amanda-client-2.5.2p1-10.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-55.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     jupiter.acf.aquezada.com
Platform                      Linux jupiter.acf.aquezada.com
                     #1 SMP Wed May 21 18:12:35
                              EDT 2008 i686 i686
Alert Count                   18
First Seen                    Mon 09 Jun 2008 12:45:05 AM EDT
Last Seen                     Mon 09 Jun 2008 12:46:25 AM EDT
Local ID                      e10f986a-ce2b-4c0c-8dc6-04530a332fde
Line Numbers                  

Raw Audit Messages            

host=jupiter.acf.aquezada.com type=AVC msg=audit(1212986785.720:44): avc: 
denied  { signal } for  pid=5853 comm="killpgrp"
tcontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tclass=process

host=jupiter.acf.aquezada.com type=SYSCALL msg=audit(1212986785.720:44):
arch=40000003 syscall=37 success=yes exit=0 a0=ffffe923 a1=f a2=b7f8d2ac
a3=ffffe923 items=0 ppid=5843 pid=5853 auid=4294967295 uid=0 gid=6 euid=0 suid=0
fsuid=0 egid=6 sgid=6 fsgid=6 tty=(none) ses=4294967295 comm="killpgrp"
exe="/usr/lib/amanda/killpgrp" subj=system_u:system_r:amanda_t:s0-s0:c0.c1023

Version-Release number of selected component (if applicable):


How reproducible: Always

Steps to Reproduce:
1. Configure a F9 system as an amanda client
2. Run a backup
3. Watch errors occur
Additional info:

There's no indication that the backup did not complete correctly despite this
not working. The server does not report any of these errors.
Comment 1 Daniel Walsh 2008-06-10 15:05:12 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-67.fc9.noarch
Comment 2 Daniel Walsh 2008-11-17 17:04:30 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Comment 3 Jason Tibbitts 2009-04-30 19:17:11 EDT
Just FYI, the same issue is present in CentOS 5.3 and, I presume, RHEL 5.3.  No support so I can't expect a fix, but I figured I'd note it here in case anyone searches.  The fix in comment #1 works fine.
Comment 4 Daniel Walsh 2009-05-01 08:25:17 EDT
Thanks Jason, if you see something like this that exists in RHEL5 or Centos, please do report, even though you do not have a support contract, you are contributing to Open Source, 


Note You need to log in before you can comment on or make changes to this bug.