>>>>> "jc" == jon@jgcomp com <[email protected]> writes:
jc> Ok, I confirmed my home dir can be backed up with selinux set to jc> non-enforcing. How about just setting amanda_t to permissive as I suggested in my previous message? At least then you wouldn't have to disable selinux throughout your system. # semanage permissive -a amanda_t I'm not certain that it would fix your issues, but I think there's a pretty good chance. jc> There is a set of amanda rules for selinux in place, but apparently jc> they do not give amdump/tar the ability backup all files. That's not surprising, really. As I wrote previously, using a filesystem-level backup tool like tar basically requires that you give amanda permission to read any file on the system. There's still value in selinux here (because it could be prevented from writing to those files) but I suggested that they add a policy boolean to control that (in the bugzilla ticket filed against Fedora's selinux-policy package, which can't seem to locate right now). Unfortunately actually implementing that is well beyond my abilities. jc> Who provides the selinux rules for amanda? There is a policy in the upstream refpolicy-contrib: https://github.com/TresysTechnology/refpolicy-contrib However, I know that at least Fedora has various modifications to that in the big policy patch we carry. jc> Are the selinux rules for amanda provided with the amanda sources? jc> If so, I don't see them. I wouldn't expect so. jc> Or perhaps they are added by the prebuilt amanda packages I jc> installed from the Fedora repos (and CentOS repos)? No, the package doesn't add its own policy. It's rare for Fedora/RHEL packages to do that. Perhaps occasionally some file contexts but only rarely an entire policy module and then almost always in a separate whatever-selinux package. - J<
