+++ This bug was initially created as a clone of Bug #450530 +++ Description of problem: setroubleshoot browser reported the following problem on a system being backed up by amanda: Summary: SELinux is preventing killpgrp (amanda_t) "signal" to <Unknown> (fsadm_t). Detailed Description: SELinux denied access requested by killpgrp. It is not expected that this access is required by killpgrp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:amanda_t:s0-s0:c0.c1023 Target Context system_u:system_r:fsadm_t:s0-s0:c0.c1023 Target Objects None [ process ] Source killpgrp Source Path /usr/lib/amanda/killpgrp Port <Unknown> Host jupiter.acf.aquezada.com Source RPM Packages amanda-client-2.5.2p1-10.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-55.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name jupiter.acf.aquezada.com Platform Linux jupiter.acf.aquezada.com 2.6.25.4-30.fc9.i686 #1 SMP Wed May 21 18:12:35 EDT 2008 i686 i686 Alert Count 18 First Seen Mon 09 Jun 2008 12:45:05 AM EDT Last Seen Mon 09 Jun 2008 12:46:25 AM EDT Local ID e10f986a-ce2b-4c0c-8dc6-04530a332fde Line Numbers Raw Audit Messages host=jupiter.acf.aquezada.com type=AVC msg=audit(1212986785.720:44): avc: denied { signal } for pid=5853 comm="killpgrp" scontext=system_u:system_r:amanda_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tclass=process host=jupiter.acf.aquezada.com type=SYSCALL msg=audit(1212986785.720:44): arch=40000003 syscall=37 success=yes exit=0 a0=ffffe923 a1=f a2=b7f8d2ac a3=ffffe923 items=0 ppid=5843 pid=5853 auid=4294967295 uid=0 gid=6 euid=0 suid=0 fsuid=0 egid=6 sgid=6 fsgid=6 tty=(none) ses=4294967295 comm="killpgrp" exe="/usr/lib/amanda/killpgrp" subj=system_u:system_r:amanda_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): amanda-client-2.5.2p1-10.fc9.i386 selinux-policy-targeted-3.3.1-55.fc9.noarch selinux-policy-3.3.1-55.fc9.noarch How reproducible: Always Steps to Reproduce: 1. Configure a F9 system as an amanda client 2. Run a backup 3. Watch errors occur Additional info: There's no indication that the backup did not complete correctly despite this not working. The server does not report any of these errors. --- Additional comment from dwalsh on 2008-06-10 15:05:12 EDT --- You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-67.fc9.noarch --- Additional comment from dwalsh on 2008-11-17 17:04:30 EDT --- Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. --- Additional comment from tibbs.edu on 2009-04-30 19:17:11 EDT --- Just FYI, the same issue is present in CentOS 5.3 and, I presume, RHEL 5.3. No support so I can't expect a fix, but I figured I'd note it here in case anyone searches. The fix in comment #1 works fine.
Fixed in selinux-policy-2.4.6-230.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html