Anyone familiar with the selinux policy for the amanda backup software package? I'm getting lots of data not being backed up. For example, under /home there are 2 directory trees owned by root. Those get backed up, user home dirs do not. No AVC denials nor messages in /var/log/messages or journalctl log. But if I turn off selinux enforcing, or set amanda_t type to permissive, complete backups are made. I expected the selinux policy would have allowed amanda to be able to read all files. Else, how does one make backups? I'm seeing this on CentOS 7.2, Fedora 24 & 25. Amanda packages from the respective distro repos. As far as I can tell, the selinux policies are the same in all three. But then, I know little selinux speak. Jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
There's an option to get selinux to report on all the 'don't audit' bits, which can be toggled on and off as needed. This may help in debugging. On 01/19/2017 06:25 PM, Jon LaBadie wrote:> Anyone familiar with the selinux policy for the > amanda backup software package? I'm getting lots > of data not being backed up. For example, under > /home there are 2 directory trees owned by root. > Those get backed up, user home dirs do not. > > No AVC denials nor messages in /var/log/messages > or journalctl log. But if I turn off selinux > enforcing, or set amanda_t type to permissive, > complete backups are made. > > I expected the selinux policy would have allowed > amanda to be able to read all files. Else, how > does one make backups? > > I'm seeing this on CentOS 7.2, Fedora 24 & 25. > Amanda packages from the respective distro repos. > As far as I can tell, the selinux policies are > the same in all three. But then, I know little > selinux speak. > > Jon
On Fri, Jan 20, 2017 at 08:29:29PM -0500, John Jasen wrote:> There's an option to get selinux to report on all the 'don't audit' > bits, which can be toggled on and off as needed. This may help in debugging.Yes, "sesearch -D". And there are several dealing with amanda, mostly about recovery from backup. I don't see any that appear to deal with file reads. This may be moot though, auditd is not running on my system. I'm not sure why the change, but the audit logs stop last October. When I try to start auditd, it exits with the error "audit support not enabled in kernel". Jon> > On 01/19/2017 06:25 PM, Jon LaBadie wrote: > > Anyone familiar with the selinux policy for the > > amanda backup software package? I'm getting lots > > of data not being backed up. For example, under > > /home there are 2 directory trees owned by root. > > Those get backed up, user home dirs do not. > > > > No AVC denials nor messages in /var/log/messages > > or journalctl log. But if I turn off selinux > > enforcing, or set amanda_t type to permissive, > > complete backups are made. > > > > I expected the selinux policy would have allowed > > amanda to be able to read all files. Else, how > > does one make backups? > > > > I'm seeing this on CentOS 7.2, Fedora 24 & 25. > > Amanda packages from the respective distro repos. > > As far as I can tell, the selinux policies are > > the same in all three. But then, I know little > > selinux speak. > > > > Jon > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >>> End of included message <<<-- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)