-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/04/2011 11:33 AM, Matthew Saltzman wrote: > On Tue, 2011-01-04 at 09:11 -0500, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 01/04/2011 04:08 AM, Gordon Messmer wrote: >>> On 01/02/2011 06:45 AM, Matthew Saltzman wrote: >>>> Aha! In /var/log/messages, on the other hand, this happens: >>>> >>>> Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5 >>>> Jan 2 09:40:36 yankee setroubleshoot: SELinux is preventing /usr/sbin/sshd from search access on the directory /var/lib/amanda. For complete SELinux messages. run sealert -l d477003b-6568-4441-95d8-60bda5a6c0e5 >>> ... >>>> So I will file the bug. >>> >>> I believe you'll need to fix that like so: >>> >>> # semanage fcontext -a -t user_home_dir_t /var/lib/amanda >>> # semanage fcontext -a -t user_home_t "/var/lib/amanda/.*" >>> # restorecon -r /var/lib/amanda >> No This would probably cause amanda to break then. Does labeling .ssh as >> ssh_home_t solve the problem? > > Now that you mention it, no. (Sorry, I sang your praises a bit too soon > 8^). > > The messages on the client side (before and after the relabeling): > > Jan 4 11:10:06 yankee setroubleshoot: SELinux is > preventing /usr/sbin/sshd from search access on the > directory /var/lib/amanda. For complete SELinux messages. run > sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d > Jan 4 11:10:06 yankee setroubleshoot: SELinux is > preventing /usr/sbin/sshd from search access on the > directory /var/lib/amanda. For complete SELinux messages. run > sealert -l 90efb757-498d-4a01-bc5a-b117d159ee2d > > And the full sealert: > > SELinux is preventing /usr/sbin/sshd from search access on the > directory /var/lib/amanda. > > ***** Plugin catchall (100. confidence) suggests > *************************** > > If you believe that sshd should be allowed search access on the > amanda directory by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep /usr/sbin/sshd /var/log/audit/audit.log | audit2allow -M > mypol > # semodule -i mypol.pp > > So it looks like /var/lib/amanda is the problem, not the .ssh > subdirectory. /var/lib/amanda's label is: > > drwxr-xr-x. amandabackup disk > system_u:object_r:amanda_var_lib_t:s0 /var/lib/amanda/ > You would need the combination of relabeling the homedir and searching /var/lib/amanda. WHich is what we will be adding to policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0jTrgACgkQrlYvE4MpobPRIgCeMQnY139E2M4Ehwt0oeNb9kbH adMAnjN5W96sF3VGiI3XXZLJi5o+nS+c =pLpV -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
