Description of problem: My backup script cannot access this file: /etc/cron.daily/0backup: rsync: readlink_stat("/usr/local/lib/amanda/exclude.gtar") failed: Permission denied (13) IO error encountered -- skipping file deletion rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1052) [sender=3.0.9] In fact, I can access it as root: [root@vmf19 ~]# ls -lZ /usr/local/lib/amanda/exclude.gtar ls: cannot access /usr/local/lib/amanda/exclude.gtar: Permission denied Denials: type=AVC msg=audit(1370296081.887:525): avc: denied { getattr } for pid=3137 comm="0backup" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file type=AVC msg=audit(1370296083.390:526): avc: denied { getattr } for pid=3147 comm="rsync" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file type=AVC msg=audit(1370296485.910:535): avc: denied { getattr } for pid=4347 comm="restorecon" name="exclude.gtar" dev="vda3" ino=15037 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file type=AVC msg=audit(1370296497.496:536): avc: denied { getattr } for pid=4354 comm="ls" path="/usr/local/lib/amanda/exclude.gtar" dev="vda3" ino=15037 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.12.1-47.fc19.noarch This appears to have been introduced fairly recently.
#============= system_cronjob_t ============== #!!!! This avc is allowed in the current policy allow system_cronjob_t amanda_exec_t:file getattr; #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t amanda_exec_t:file getattr;
selinux-policy-3.12.1-48.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-48.fc19
Package selinux-policy-3.12.1-48.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-48.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-10204/selinux-policy-3.12.1-48.fc19 then log in and leave karma (feedback).
I still see the same problem with -48.
selinux-policy-3.12.1-48.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Orion, something is wrong. Could you try to install the latest builds http://koji.fedoraproject.org/koji/buildinfo?buildID=425126 and see if the update blows up.
Ok, there is a bug in the policy.
Fixed in selinux-policy-3.12.1-50.fc19
-50.fc19 looks good, thanks!
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This seems to have returned in selinux-policy-3.12.1-76.fc21.noarch
Added fixes. commit 5bf8c1628f71b54269d990fc62906a3f9c35bc06 Author: Miroslav Grepl <mgrepl> Date: Tue Sep 10 12:13:28 2013 +0200 amanda_exec_t needs to be executable file
Still present in -77.1.fc21. Can we please not close until a working version is confirmed to be available
Orion the way Rawhide is handled is to close the bugzilla when developer thinks rawhide is fixed.
Fixed in selinux-policy-3.12.1-80.fc21
Yeah, that's right of course. Didn't get my bike ride to work today which must have made me a little grumpy.
label is still amanda_exec_t, but nothing complains any more: [root@vmrawhide ~]# restorecon -r -v /usr/local [root@vmrawhide ~]# ls -lZ /usr/local/lib/amanda/exclude.gtar -rw-r--r--. root root system_u:object_r:amanda_exec_t:s0 /usr/local/lib/amanda/exclude.gtar thanks. Now need to propagate to F19.
Lukas, what does the latest F19 policy show you # cat /tmp/log |audit2allow #============= system_cronjob_t ============== #!!!! This avc is allowed in the current policy allow system_cronjob_t amanda_exec_t:file getattr; #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t amanda_exec_t:file getattr;
Miroslav, $ audit2allow -i avc #============= system_cronjob_t ============== #!!!! This avc is allowed in the current policy allow system_cronjob_t amanda_exec_t:file getattr; #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t amanda_exec_t:file getattr;
$ rpm -q selinux-policy selinux-policy-3.12.1-74.3.fc19.noarch
Hopefully fixed now.