Bug 970306 - Excessive restrictions on amanda_exec_t
Excessive restrictions on amanda_exec_t
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-03 17:59 EDT by Orion Poplawski
Modified: 2014-08-07 23:03 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-52.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-07 23:03:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2013-06-03 17:59:00 EDT
Description of problem:

My backup script cannot access this file:

/etc/cron.daily/0backup:

rsync: readlink_stat("/usr/local/lib/amanda/exclude.gtar") failed: Permission denied (13)
IO error encountered -- skipping file deletion
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1052) [sender=3.0.9]

In fact, I can access it as root:

[root@vmf19 ~]# ls -lZ /usr/local/lib/amanda/exclude.gtar
ls: cannot access /usr/local/lib/amanda/exclude.gtar: Permission denied

Denials:

type=AVC msg=audit(1370296081.887:525): avc:  denied  { getattr } for  pid=3137 comm="0backup" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
type=AVC msg=audit(1370296083.390:526): avc:  denied  { getattr } for  pid=3147 comm="rsync" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
type=AVC msg=audit(1370296485.910:535): avc:  denied  { getattr } for  pid=4347 comm="restorecon" name="exclude.gtar" dev="vda3" ino=15037 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
type=AVC msg=audit(1370296497.496:536): avc:  denied  { getattr } for  pid=4354 comm="ls" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-47.fc19.noarch

This appears to have been introduced fairly recently.
Comment 1 Miroslav Grepl 2013-06-04 10:51:09 EDT
#============= system_cronjob_t ==============

#!!!! This avc is allowed in the current policy
allow system_cronjob_t amanda_exec_t:file getattr;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t amanda_exec_t:file getattr;
Comment 2 Fedora Update System 2013-06-05 15:01:25 EDT
selinux-policy-3.12.1-48.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-48.fc19
Comment 3 Fedora Update System 2013-06-06 13:31:28 EDT
Package selinux-policy-3.12.1-48.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-48.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-10204/selinux-policy-3.12.1-48.fc19
then log in and leave karma (feedback).
Comment 4 Orion Poplawski 2013-06-06 15:11:37 EDT
I still see the same problem with -48.
Comment 5 Fedora Update System 2013-06-07 23:33:43 EDT
selinux-policy-3.12.1-48.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Miroslav Grepl 2013-06-11 03:51:21 EDT
Orion, 
something is wrong. Could you try to install the latest builds

http://koji.fedoraproject.org/koji/buildinfo?buildID=425126

and see if the update blows up.
Comment 7 Miroslav Grepl 2013-06-11 08:06:17 EDT
Ok, there is a bug in the policy.
Comment 8 Miroslav Grepl 2013-06-11 08:22:19 EDT
Fixed in selinux-policy-3.12.1-50.fc19
Comment 9 Orion Poplawski 2013-06-11 17:10:05 EDT
-50.fc19 looks good, thanks!
Comment 10 Fedora Update System 2013-06-14 03:23:39 EDT
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Comment 11 Fedora Update System 2013-06-14 23:06:40 EDT
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Orion Poplawski 2013-09-09 11:59:12 EDT
This seems to have returned in selinux-policy-3.12.1-76.fc21.noarch
Comment 13 Miroslav Grepl 2013-09-10 06:14:26 EDT
Added fixes.

commit 5bf8c1628f71b54269d990fc62906a3f9c35bc06
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Sep 10 12:13:28 2013 +0200

    amanda_exec_t needs to be executable file
Comment 14 Orion Poplawski 2013-09-11 11:54:52 EDT
Still present in -77.1.fc21.  Can we please not close until a working version is confirmed to be available
Comment 15 Daniel Walsh 2013-09-11 13:53:30 EDT
Orion the way Rawhide is handled is to close the bugzilla when developer thinks rawhide is fixed.
Comment 16 Daniel Walsh 2013-09-11 13:57:50 EDT
Fixed in selinux-policy-3.12.1-80.fc21
Comment 17 Orion Poplawski 2013-09-11 13:59:23 EDT
Yeah, that's right of course.  Didn't get my bike ride to work today which must have made me a little grumpy.
Comment 18 Orion Poplawski 2013-09-12 11:29:43 EDT
label is still amanda_exec_t, but nothing complains any more:

[root@vmrawhide ~]# restorecon -r -v /usr/local
[root@vmrawhide ~]# ls -lZ /usr/local/lib/amanda/exclude.gtar 
-rw-r--r--. root root system_u:object_r:amanda_exec_t:s0 /usr/local/lib/amanda/exclude.gtar

thanks.  Now need to propagate to F19.
Comment 19 Miroslav Grepl 2013-09-13 03:33:30 EDT
Lukas, 
what does the latest F19 policy show you

# cat /tmp/log |audit2allow


#============= system_cronjob_t ==============

#!!!! This avc is allowed in the current policy
allow system_cronjob_t amanda_exec_t:file getattr;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t amanda_exec_t:file getattr;
Comment 20 Lukas Vrabec 2013-09-13 09:23:34 EDT
Miroslav, 

$ audit2allow -i avc 


#============= system_cronjob_t ==============

#!!!! This avc is allowed in the current policy
allow system_cronjob_t amanda_exec_t:file getattr;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t amanda_exec_t:file getattr;
Comment 21 Lukas Vrabec 2013-09-13 09:46:54 EDT
$ rpm -q selinux-policy
selinux-policy-3.12.1-74.3.fc19.noarch
Comment 22 Orion Poplawski 2014-08-07 23:03:38 EDT
Hopefully fixed now.

Note You need to log in before you can comment on or make changes to this bug.