Bug 498596 - selinux-policy-targeted blocking amanda client operation
selinux-policy-targeted blocking amanda client operation
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
Depends On: 450530
  Show dependency treegraph
Reported: 2009-05-01 08:17 EDT by Daniel Walsh
Modified: 2012-10-16 07:42 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 450530
Last Closed: 2009-09-02 04:00:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1242 normal SHIPPED_LIVE selinux-policy bug fix update 2009-09-01 04:32:34 EDT

  None (edit)
Description Daniel Walsh 2009-05-01 08:17:04 EDT
+++ This bug was initially created as a clone of Bug #450530 +++

Description of problem:

setroubleshoot browser reported the following problem on a system being backed
up by amanda:


SELinux is preventing killpgrp (amanda_t) "signal" to <Unknown> (fsadm_t).

Detailed Description:

SELinux denied access requested by killpgrp. It is not expected that this access
is required by killpgrp and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:amanda_t:s0-s0:c0.c1023
Target Context                system_u:system_r:fsadm_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        killpgrp
Source Path                   /usr/lib/amanda/killpgrp
Port                          <Unknown>
Host                          jupiter.acf.aquezada.com
Source RPM Packages           amanda-client-2.5.2p1-10.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-55.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     jupiter.acf.aquezada.com
Platform                      Linux jupiter.acf.aquezada.com
                     #1 SMP Wed May 21 18:12:35
                              EDT 2008 i686 i686
Alert Count                   18
First Seen                    Mon 09 Jun 2008 12:45:05 AM EDT
Last Seen                     Mon 09 Jun 2008 12:46:25 AM EDT
Local ID                      e10f986a-ce2b-4c0c-8dc6-04530a332fde
Line Numbers                  

Raw Audit Messages            

host=jupiter.acf.aquezada.com type=AVC msg=audit(1212986785.720:44): avc: 
denied  { signal } for  pid=5853 comm="killpgrp"
tcontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tclass=process

host=jupiter.acf.aquezada.com type=SYSCALL msg=audit(1212986785.720:44):
arch=40000003 syscall=37 success=yes exit=0 a0=ffffe923 a1=f a2=b7f8d2ac
a3=ffffe923 items=0 ppid=5843 pid=5853 auid=4294967295 uid=0 gid=6 euid=0 suid=0
fsuid=0 egid=6 sgid=6 fsgid=6 tty=(none) ses=4294967295 comm="killpgrp"
exe="/usr/lib/amanda/killpgrp" subj=system_u:system_r:amanda_t:s0-s0:c0.c1023

Version-Release number of selected component (if applicable):


How reproducible: Always

Steps to Reproduce:
1. Configure a F9 system as an amanda client
2. Run a backup
3. Watch errors occur
Additional info:

There's no indication that the backup did not complete correctly despite this
not working. The server does not report any of these errors.

--- Additional comment from dwalsh@redhat.com on 2008-06-10 15:05:12 EDT ---

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-67.fc9.noarch

--- Additional comment from dwalsh@redhat.com on 2008-11-17 17:04:30 EDT ---

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

--- Additional comment from tibbs@math.uh.edu on 2009-04-30 19:17:11 EDT ---

Just FYI, the same issue is present in CentOS 5.3 and, I presume, RHEL 5.3.  No support so I can't expect a fix, but I figured I'd note it here in case anyone searches.  The fix in comment #1 works fine.
Comment 1 Daniel Walsh 2009-05-01 08:18:42 EDT
Fixed in selinux-policy-2.4.6-230.el5
Comment 7 errata-xmlrpc 2009-09-02 04:00:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.