Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1616331 - SELinux prevents amanda from running normally
Summary: SELinux prevents amanda from running normally
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-15 15:37 UTC by Orion Poplawski
Modified: 2018-10-09 03:09 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.1-44.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-09 03:09:21 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Orion Poplawski 2018-08-15 15:37:01 UTC 
Description of problem:

See the following AVCs:

type=AVC msg=audit(1534302426.000:5130): avc:  denied  { dac_override } for  pid=3723 comm="tar" capability=1  scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:system_r:amanda_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1534305107.260:5509): avc:  denied  { map } for  pid=6067 comm="amandad" path="/dev/shm/amanda_shm_control-6067-0" dev="tmpfs" ino=219981 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:amanda_tmpfs_t:s0 tclass=file permissive=0

Not sure if the first is a problem.  The second is.

amandad failures are:

Tue Aug 14 20:07:06.002183161 2018: pid 3720: thd-0x55a785abe800: amgtar: /usr/bin/tar: /var/lib/amanda/gnutar-lists/fedsvn1.mry.nwra.com_var_backup_0.new: Cannot open: Permission denied
Tue Aug 14 20:07:06.004510207 2018: pid 3720: thd-0x55a785abe800: amgtar: Total bytes written: 397864960 (380MiB, 146GiB/s)
Tue Aug 14 20:07:06.004587064 2018: pid 3720: thd-0x55a785abe800: amgtar: /usr/bin/tar: Exiting with failure status due to previous errors

Not sure exactly what is up with the above.  Permissions seem okay:

# ls -ldZ /var/lib/amanda/gnutar-lists/
drwxr-xr-x. 2 amandabackup disk system_u:object_r:amanda_gnutarlists_t:s0 6 Aug 14 20:07 /var/lib/amanda/gnutar-lists//

Perhaps the dac_override is related?

Tue Aug 14 20:51:47.261379900 2018: pid 6067: thd-0x5620b544d600: amandad: shm_ring_create
Tue Aug 14 20:51:47.261818181 2018: pid 6067: thd-0x5620b544d600: amandad: shm_ring shm_ring.mc failed '/amanda_shm_control-6067-0': Permission denied

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-37.fc28.noarch
Comment 1 Orion Poplawski 2018-08-17 16:18:21 UTC 
Near as I can tell, the dac_override denial is preventing the writing of /var/lib/amanda/gnutar-lists/fedsvn1.mry.nwra.com_var_backup_0.new.  Running in permissive mode and disabling the dontaudit rules allows it to run and I don't see other avcs.
Comment 2 Fedora Update System 2018-09-06 21:56:38 UTC 
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 3 Fedora Update System 2018-09-07 17:12:06 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217
Comment 4 Fedora Update System 2018-09-11 16:55:19 UTC 
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Orion Poplawski 2018-09-11 16:56:55 UTC 
With selinux-policy-3.14.1-42.fc28.noarch I'm still seeing:

type=AVC msg=audit(1536640000.775:101053): avc:  denied  { dac_override } for  pid=20705 comm="tar" capability=1  scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:system_r:amanda_t:s0 tclass=capability permissive=0

which leads to:

  fedsvn1.mry.nwra.com /var/backup lev 0  FAILED [/usr/bin/tar exited with status 2: see /var/log/amanda/client/Data/amgtar.20180910204839000.debug]
  fedsvn1.mry.nwra.com /var/backup lev 0  FAILED [shm_ring cancelled]

Mon Sep 10 20:48:39.105799929 2018: pid 18533: thd-0x5599a5fd7e00: amgtar: Spawning "/usr/bin/tar /usr/bin/tar --create --verbose --block-number --file - --directory /var/backup --no-check-device --listed-incremental /var/lib/amanda/gnutar-lists/fedsvn1.mry.nwra.com_var_backup_0.new --sparse --ignore-failed-read --totals --exclude-from /var/log/amanda/amgtar._var_backup.20180910204839.exclude ." in pipeline
Mon Sep 10 20:48:39.106959947 2018: pid 18533: thd-0x5599a5fd7e00: amgtar:   0: strange(?): /usr/bin/tar: /var/lib/amanda/gnutar-lists/fedsvn1.mry.nwra.com_var_backup_0.new: Cannot open: Permission denied
Comment 6 Fedora Update System 2018-10-05 08:51:18 UTC 
selinux-policy-3.14.1-44.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5e18426088
Comment 7 Fedora Update System 2018-10-05 19:32:11 UTC 
selinux-policy-3.14.1-44.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5e18426088
Comment 8 Fedora Update System 2018-10-09 03:09:21 UTC 
selinux-policy-3.14.1-44.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.