Bug 498596 - selinux-policy-targeted blocking amanda client operation
Summary: selinux-policy-targeted blocking amanda client operation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.4
Hardware: i386
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On: 450530
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-01 12:17 UTC by Daniel Walsh
Modified: 2012-10-16 11:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 450530
Environment:
Last Closed: 2009-09-02 08:00:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1242 0 normal SHIPPED_LIVE selinux-policy bug fix update 2009-09-01 08:32:34 UTC

Description Daniel Walsh 2009-05-01 12:17:04 UTC
+++ This bug was initially created as a clone of Bug #450530 +++

Description of problem:

setroubleshoot browser reported the following problem on a system being backed
up by amanda:

Summary:

SELinux is preventing killpgrp (amanda_t) "signal" to <Unknown> (fsadm_t).

Detailed Description:

SELinux denied access requested by killpgrp. It is not expected that this access
is required by killpgrp and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:amanda_t:s0-s0:c0.c1023
Target Context                system_u:system_r:fsadm_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        killpgrp
Source Path                   /usr/lib/amanda/killpgrp
Port                          <Unknown>
Host                          jupiter.acf.aquezada.com
Source RPM Packages           amanda-client-2.5.2p1-10.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-55.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     jupiter.acf.aquezada.com
Platform                      Linux jupiter.acf.aquezada.com
                              2.6.25.4-30.fc9.i686 #1 SMP Wed May 21 18:12:35
                              EDT 2008 i686 i686
Alert Count                   18
First Seen                    Mon 09 Jun 2008 12:45:05 AM EDT
Last Seen                     Mon 09 Jun 2008 12:46:25 AM EDT
Local ID                      e10f986a-ce2b-4c0c-8dc6-04530a332fde
Line Numbers                  

Raw Audit Messages            

host=jupiter.acf.aquezada.com type=AVC msg=audit(1212986785.720:44): avc: 
denied  { signal } for  pid=5853 comm="killpgrp"
scontext=system_u:system_r:amanda_t:s0-s0:c0.c1023
tcontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tclass=process

host=jupiter.acf.aquezada.com type=SYSCALL msg=audit(1212986785.720:44):
arch=40000003 syscall=37 success=yes exit=0 a0=ffffe923 a1=f a2=b7f8d2ac
a3=ffffe923 items=0 ppid=5843 pid=5853 auid=4294967295 uid=0 gid=6 euid=0 suid=0
fsuid=0 egid=6 sgid=6 fsgid=6 tty=(none) ses=4294967295 comm="killpgrp"
exe="/usr/lib/amanda/killpgrp" subj=system_u:system_r:amanda_t:s0-s0:c0.c1023
key=(null)

Version-Release number of selected component (if applicable):

amanda-client-2.5.2p1-10.fc9.i386
selinux-policy-targeted-3.3.1-55.fc9.noarch
selinux-policy-3.3.1-55.fc9.noarch

How reproducible: Always

Steps to Reproduce:
1. Configure a F9 system as an amanda client
2. Run a backup
3. Watch errors occur
  
Additional info:

There's no indication that the backup did not complete correctly despite this
not working. The server does not report any of these errors.

--- Additional comment from dwalsh on 2008-06-10 15:05:12 EDT ---

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-67.fc9.noarch

--- Additional comment from dwalsh on 2008-11-17 17:04:30 EDT ---

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

--- Additional comment from tibbs.edu on 2009-04-30 19:17:11 EDT ---

Just FYI, the same issue is present in CentOS 5.3 and, I presume, RHEL 5.3.  No support so I can't expect a fix, but I figured I'd note it here in case anyone searches.  The fix in comment #1 works fine.

Comment 1 Daniel Walsh 2009-05-01 12:18:42 UTC
Fixed in selinux-policy-2.4.6-230.el5

Comment 7 errata-xmlrpc 2009-09-02 08:00:16 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html


Note You need to log in before you can comment on or make changes to this bug.