Re: ssh by user amandabackup [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2011-01-04 at 09:11 -0500, Daniel J Walsh wrote: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/04/2011 04:08 AM, Gordon Messmer wrote:
> > On 01/02/2011 06:45 AM, Matthew Saltzman wrote:
> >> Aha! In /var/log/messages, on the other hand, this happens:
> >>
> >>          Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
> >>          Jan  2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5
> > ...
> >> So I will file the bug.
> > 
> > I believe you'll need to fix that like so:
> > 
> > # semanage fcontext -a -t user_home_dir_t /var/lib/amanda
> > # semanage fcontext -a -t user_home_t "/var/lib/amanda/.*"
> > # restorecon -r /var/lib/amanda
> No This would probably cause amanda to break then. Does labeling .ssh as
> ssh_home_t solve the problem?

Now that you mention it, no.  (Sorry, I sang your praises a bit too soon
8^).

The messages on the client side (before and after the relabeling):

        Jan  4 11:10:06 yankee setroubleshoot: SELinux is
        preventing /usr/sbin/sshd from search access on the
        directory /var/lib/amanda. For complete SELinux messages. run
        sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d
        Jan  4 11:10:06 yankee setroubleshoot: SELinux is
        preventing /usr/sbin/sshd from search access on the
        directory /var/lib/amanda. For complete SELinux messages. run
        sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d

And the full sealert:

        SELinux is preventing /usr/sbin/sshd from search access on the
        directory /var/lib/amanda.
        
        *****  Plugin catchall (100. confidence) suggests
        ***************************
        
        If you believe that sshd should be allowed search access on the
        amanda directory by default.
        Then you should report this as a bug.
        You can generate a local policy module to allow this access.
        Do
        allow this access for now by executing:
        # grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M
        mypol
        # semodule -i mypol.pp
        
So it looks like /var/lib/amanda is the problem, not the .ssh
subdirectory.  /var/lib/amanda's label is:
        
        drwxr-xr-x. amandabackup disk
        system_u:object_r:amanda_var_lib_t:s0 /var/lib/amanda/
        
-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux