-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/04/2011 11:33 AM, Matthew Saltzman wrote:
On Tue, 2011-01-04 at 09:11 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/04/2011 04:08 AM, Gordon Messmer wrote:
>> On 01/02/2011 06:45 AM, Matthew Saltzman wrote:
>>> Aha! In /var/log/messages, on the other hand, this happens:
>>>
>>> Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing
/usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux
messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
>>> Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing
/usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux
messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
>> ...
>>> So I will file the bug.
>>
>> I believe you'll need to fix that like so:
>>
>> # semanage fcontext -a -t user_home_dir_t /var/lib/amanda
>> # semanage fcontext -a -t user_home_t "/var/lib/amanda/.*"
>> # restorecon -r /var/lib/amanda
> No This would probably cause amanda to break then. Does labeling .ssh as
> ssh_home_t solve the problem?
Now that you mention it, no. (Sorry, I sang your praises a bit too soon
8^).
The messages on the client side (before and after the relabeling):
Jan 4 11:10:06 yankee setroubleshoot: SELinux is
preventing /usr/sbin/sshd from search access on the
directory /var/lib/amanda. For complete SELinux messages. run
sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d
Jan 4 11:10:06 yankee setroubleshoot: SELinux is
preventing /usr/sbin/sshd from search access on the
directory /var/lib/amanda. For complete SELinux messages. run
sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d
And the full sealert:
SELinux is preventing /usr/sbin/sshd from search access on the
directory /var/lib/amanda.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that sshd should be allowed search access on the
amanda directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M
mypol
# semodule -i mypol.pp
So it looks like /var/lib/amanda is the problem, not the .ssh
subdirectory. /var/lib/amanda's label is:
drwxr-xr-x. amandabackup disk
system_u:object_r:amanda_var_lib_t:s0 /var/lib/amanda/
You would need the combination of relabeling the homedir and searching
/var/lib/amanda.
WHich is what we will be adding to policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk0jTrgACgkQrlYvE4MpobPRIgCeMQnY139E2M4Ehwt0oeNb9kbH
adMAnjN5W96sF3VGiI3XXZLJi5o+nS+c
=pLpV
-----END PGP SIGNATURE-----