RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 965140 - amandad runs as init_t when amanda.socket is active
Summary: amandad runs as init_t when amanda.socket is active
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1004161
TreeView+ depends on / blocked
 
Reported: 2013-05-20 13:46 UTC by Milos Malik
Modified: 2014-06-18 02:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 12:27:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Milos Malik 2013-05-20 13:46:36 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
amanda-3.3.3-1.el7.x86_64
amanda-client-3.3.3-1.el7.x86_64
amanda-server-3.3.3-1.el7.x86_64
selinux-policy-3.12.1-44.el7.noarch
selinux-policy-devel-3.12.1-44.el7.noarch
selinux-policy-doc-3.12.1-44.el7.noarch
selinux-policy-minimum-3.12.1-44.el7.noarch
selinux-policy-mls-3.12.1-44.el7.noarch
selinux-policy-targeted-3.12.1-44.el7.noarch

How reproducible:
always

Steps to Reproduce:
# systemctl enable amanda.socket
ln -s '/usr/lib/systemd/system/amanda.socket' '/etc/systemd/system/sockets.target.wants/amanda.socket'
# systemctl start amanda.socket
# systemctl status amanda.socket
amanda.socket - Amanda Activation Socket
       Loaded: loaded (/usr/lib/systemd/system/amanda.socket; enabled)
       Active: active (listening) since Mon 2013-05-20 15:40:02 CEST; 3s ago
       Listen: [::]:10080 (Stream)
     Accepted: 0; Connected: 0

May 20 15:40:02 rhel7 systemd[1]: Listening on Amanda Activation Socket.

# nc 127.0.0.1 10080 &
[1] 16109
# 

[1]+  Stopped                 nc 127.0.0.1 10080
# ps -efZ | grep amanda
system_u:system_r:init_t:s0     amandab+ 16110     1  0 15:41 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16112 7103  0 15:41 pts/1 00:00:00 grep --color=auto amanda
# fg
nc 127.0.0.1 10080
^C
#

Actual results:
 * amandad runs as init_t

Expected results:
 * amandad runs as amanda_t (or another amanda* domain)
Comment 1 Miroslav Grepl 2013-05-20 14:14:02 UTC 
We need more fixes to add systemd support for amanda.
Comment 2 Miroslav Grepl 2013-05-20 15:04:28 UTC 
Added.

commit a8eedc8fa948f3e6d58c688a99b34fe3bf57c516
Author: Miroslav Grepl <mgrepl>
Date:   Mon May 20 17:04:04 2013 +0200

    Add systemd support for amandad
Comment 3 Milos Malik 2013-06-05 10:34:22 UTC 
Following AVC appears on my machine when prelink cronjob is running:
----
type=PATH msg=audit(06/05/2013 03:46:46.113:456973) : item=0 name=chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 
type=CWD msg=audit(06/05/2013 03:46:46.113:456973) :  cwd=/ 
type=SYSCALL msg=audit(06/05/2013 03:46:46.113:456973) : arch=x86_64 syscall=newfstatat success=no exit=-13(Permission denied) a0=4 a1=0x1ddad8b a2=0x7fff14bd9b60 a3=0x100 items=1 ppid=18628 pid=18637 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=3484 tty=(none) comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2013 03:46:46.113:456973) : avc:  denied  { getattr } for  pid=18637 comm=prelink path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file 
----
Comment 4 Milos Malik 2013-06-05 14:26:00 UTC 
amanda_exec_t is a "how dare you touch me" type :-) Even following command executed by root triggers an AVC:

# matchpathcon /usr/lib64/amanda/chg-lib.sh
/usr/lib64/amanda/chg-lib.sh	system_u:object_r:amanda_exec_t:s0
#

----
type=PATH msg=audit(06/05/2013 16:20:57.504:1047) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 
type=CWD msg=audit(06/05/2013 16:20:57.504:1047) :  cwd=/ 
type=SYSCALL msg=audit(06/05/2013 16:20:57.504:1047) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7fb78009d870 a1=0x7fb788084d00 a2=0x7fb788084d00 a3=0x62696c2f7273752f items=1 ppid=1 pid=2564 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=setroubleshootd exe=/usr/bin/python2.7 subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2013 16:20:57.504:1047) : avc:  denied  { getattr } for  pid=2564 comm=setroubleshootd path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file 
----
Comment 5 Milos Malik 2013-06-05 14:28:29 UTC 
----
type=PATH msg=audit(06/05/2013 16:20:53.742:1043) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 
type=CWD msg=audit(06/05/2013 16:20:53.742:1043) :  cwd=/root 
type=SYSCALL msg=audit(06/05/2013 16:20:53.742:1043) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7fff2440f315 a1=0x7fff2440d860 a2=0x7fff2440d860 a3=0x1 items=1 ppid=17219 pid=2557 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=7 tty=pts0 comm=matchpathcon exe=/usr/sbin/matchpathcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2013 16:20:53.742:1043) : avc:  denied  { getattr } for  pid=2557 comm=matchpathcon path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file 
----
Comment 6 Miroslav Grepl 2013-06-10 11:59:28 UTC 
# rpm -q selinux-policy
Comment 7 Milos Malik 2013-06-10 12:02:28 UTC 
selinux-policy-devel-3.12.1-48.el7.noarch
selinux-policy-doc-3.12.1-48.el7.noarch
selinux-policy-minimum-3.12.1-48.el7.noarch
selinux-policy-3.12.1-48.el7.noarch
selinux-policy-targeted-3.12.1-48.el7.noarch
selinux-policy-mls-3.12.1-48.el7.noarch
Comment 8 Milos Malik 2013-06-11 07:57:21 UTC 
selinux-policy-devel-3.12.1-49.el7.noarch
selinux-policy-doc-3.12.1-49.el7.noarch
selinux-policy-mls-3.12.1-49.el7.noarch
selinux-policy-minimum-3.12.1-49.el7.noarch
selinux-policy-3.12.1-49.el7.noarch
selinux-policy-targeted-3.12.1-49.el7.noarch

  PID USER     CONTEXT                         COMMAND
26480 amandab+ system_u:system_r:init_t:s0     /usr/sbin/amandad -auth=bsdtcp amdump
Comment 9 Miroslav Grepl 2013-06-11 11:49:49 UTC 
Ok, there is a bug, definitely. Trying to find what is wrong with the policy.
Comment 10 Miroslav Grepl 2013-06-11 12:22:34 UTC 
Fixed in selinux-policy-3.12.1-50.fc19
Comment 11 Milos Malik 2013-07-09 12:20:42 UTC 
There are no AVCs but amandad runs with incorrect context:

  PID USER     CONTEXT                         COMMAND
15425 amandab+ system_u:system_r:init_t:s0     /usr/sbin/amandad -auth=bsdtcp amdump

# rpm -qa selinux-policy\*
selinux-policy-minimum-3.12.1-59.el7.noarch
selinux-policy-mls-3.12.1-59.el7.noarch
selinux-policy-3.12.1-59.el7.noarch
selinux-policy-doc-3.12.1-59.el7.noarch
selinux-policy-devel-3.12.1-59.el7.noarch
selinux-policy-targeted-3.12.1-59.el7.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
#
Comment 12 Miroslav Grepl 2013-07-10 08:53:02 UTC 
I see

# ps -efZ |grep amanda
system_u:system_r:amanda_t:s0   amandab+ 12238     1  0 10:51 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump


Do you have the same reproduce as before?
Comment 14 Miroslav Grepl 2013-07-12 08:01:34 UTC 
Could you try to run it by hand?
Comment 15 Milos Malik 2013-07-12 08:38:19 UTC 
First terminal
========
# tail -f - | ncat 127.0.0.1 10080
tail: warning: following standard input indefinitely is ineffective

Second terminal
==========
# ps -efZ | grep amanda
system_u:system_r:init_t:s0     amandab+  9680     1  0 10:36 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9682 9629  0 10:37 pts/1 00:00:00 grep --color=auto amanda
#
Comment 16 Miroslav Grepl 2013-07-22 08:25:48 UTC 
Milos,
do you have a machine with RHEL7 where I could try to test it. I am not able to reproduce it on my virtual machine.
Comment 17 Miroslav Grepl 2013-07-30 21:17:50 UTC 
Petr,
do you see this problem?
Comment 18 Petr Hracek 2013-07-31 07:33:12 UTC 
Currently not.
I see the problem first time.
For sure I added guy from systemd team.
Comment 19 Petr Hracek 2013-08-01 12:58:44 UTC 
Well I nstalled selinux and amanda packages on my RHEL-7 virtual machine and installed packages are:

amanda-client-3.3.3-4.el7.x86_64
amanda-3.3.3-4.el7.x86_64
amanda-server-3.3.3-4.el7.x86_64
selinux-policy-3.12.1-65.el7.noarch
selinux-policy-targeted-3.12.1-65.el7.noarch
libselinux-2.1.13-16.el7.x86_64
libselinux-python-2.1.13-16.el7.x86_64
libselinux-utils-2.1.13-16.el7.x86_64
# ps -efZ | grep amanda
system_u:system_r:init_t:s0     amandab+  2815     1  0 08:55 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2817 2752  0 08:56 pts/1 00:00:00 grep --color=auto amanda
# 

I can send you IP address of my VM RHEL-7 machine over ping.
Comment 20 Miroslav Grepl 2013-08-01 13:06:32 UTC 
Yes, it would be great.
Comment 21 Miroslav Grepl 2013-08-01 14:19:54 UTC 
Does it work with

# chcon -t amanda_exec_t /usr/sbin/amandad
Comment 22 Miroslav Grepl 2013-08-01 14:21:36 UTC 
Actually no.

# ls -Z /usr/sbin/amandad
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /usr/sbin/amandad -> /usr/lib64/amanda/amandad

# ls -Z /usr/lib64/amanda/amandad
-rwxr-xr-x. root root system_u:object_r:amanda_exec_t:s0 /usr/lib64/amanda/amandad
Comment 25 Ludek Smid 2014-06-13 12:27:36 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.