On Thu, Jan 12, 2017 at 06:02:38PM -0600, Jason L Tibbitts III wrote: > >>>>> "jc" == jon@jgcomp com <[email protected]> writes: > > jc> Ok, I confirmed my home dir can be backed up with selinux set to > jc> non-enforcing. > > How about just setting amanda_t to permissive as I suggested in my > previous message? At least then you wouldn't have to disable selinux > throughout your system. > > # semanage permissive -a amanda_t > > I'm not certain that it would fix your issues, but I think there's a > pretty good chance.
Will try. I was still researching and hoping for some alternative, actual fix. Seems not to be an unusual situation. > jc> There is a set of amanda rules for selinux in place, but apparently > jc> they do not give amdump/tar the ability backup all files. > > That's not surprising, really. As I wrote previously, using a > filesystem-level backup tool like tar basically requires that you give > amanda permission to read any file on the system. There's still value > in selinux here (because it could be prevented from writing to those > files) but I suggested that they add a policy boolean to control that > (in the bugzilla ticket filed against Fedora's selinux-policy package, > which can't seem to locate right now). As I looked at selinux I saw some things showing as "unconfined_X". I had hoped that processes that were "unconfined" might be similar to suid-root processes. But there are too many "unconfined" things on the system for that to be the meaning. I noted that you re-opened the F22 bugzilla issue. I can confirm that it still exists in both F24 and F25. > > Unfortunately actually implementing that is well beyond my abilities. > > jc> Who provides the selinux rules for amanda? > > There is a policy in the upstream refpolicy-contrib: > https://github.com/TresysTechnology/refpolicy-contrib Part of that reads: files_read_all_files(amanda_t) files_read_all_symlinks(amanda_t) files_read_all_blk_files(amanda_t) files_read_all_chr_files(amanda_t) files_getattr_all_pipes(amanda_t) files_getattr_all_sockets(amanda_t) files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) I'm not sure if that means "amanda_t processes can (should be allowed) to read all files" or that amanda processes can "read all files of amanda_t type". > > jc> Are the selinux rules for amanda provided with the amanda sources? > jc> If so, I don't see them. > > I wouldn't expect so. > I wasn't expecting that as the manpage "amanda-selinux" is not provided by the amanda project. > jc> Or perhaps they are added by the prebuilt amanda packages I > jc> installed from the Fedora repos (and CentOS repos)? > > No, the package doesn't add its own policy. It's rare for Fedora/RHEL > packages to do that. Perhaps occasionally some file contexts but only > rarely an entire policy module and then almost always in a separate > whatever-selinux package. I thought that was the case also. But I was surprised to see an amanda policy in place then. As it didn't come from either of them, I guess it came with the base package and that does surprise me. Jon -- Jon H. LaBadie [email protected] 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
