[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Amanda client AVC



On Mon, 10 Apr 2006, Stephen Smalley wrote:

On Mon, 2006-04-10 at 10:17 -0400, Matthew Saltzman wrote:
On Thu, 6 Apr 2006, Stephen Smalley wrote:

On Wed, 2006-04-05 at 18:42 -0400, Matthew Saltzman wrote:
My amanda clients are seeing the following:

     kernel: audit(1144217150.855:17): avc:  denied  { name_bind } for
     pid=3707 comm="sendbackup" src=697
     scontext=system_u:system_r:amanda_t:s0
     tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

And they don't work.

How to fix, please?  TIA.

port 697 is listed as uuidgen in /etc/services, so specifically mapping
it to an amanda port type and allowing amanda to bind to it seems wrong.
If this is just a result of probing for any available low port for NIS,
then the allow_ypbind boolean is likely relevant; try enabling it.

That stops the denial messages, but Amanda still isn't working.  It fails
with "too many dumper retry".  I'm not getting denials, though, so I
suppose that must be something else?

(Running nscd doesn't seem to help matters.)

Try installing the enableaudit.pp policy module, i.e.
	semodule -b /usr/share/selinux/targeted/enableaudit.pp
and retrying, then recheck your audit messages for anything relevant
(but note that there may be a lot of irrelevant audit messages enabled
by it).

That is the equivalent in FC5 to the old 'make enableaudit load' on
policy sources in FC4 and FC3.
Then you revert to the normal policy via
	semodule -b /usr/share/selinux/targeted/base.pp

Well, I feel silly now. The problem was failure to include ip_conntrack_amanda in /etc/sysconfig/iptables-config. I always seem to forget that. Is there a reason it shouldn't be automated somehow when amanda or amanda-client is installed?

The AVC still reports denied (I usually get several, but with different port numbers), but amanda runs anyway.

"setsebool allow_ypbind 1" stops the denial messages.

BTW, audit2allow for that AVC says "allow amanda_t reserved_port_t:tcp_socket name_bind". I haven't tried that yet, as I wasn't sure whether it or the boolean was the right thing to do, and I wasn't sure exactly what the right command was to accomplish the suggested change.




Also, this seems strange as a solution as this network doesn't run NIS.  I
do have all the amanda-related ports open on both server and client.  I
had no problems running amanda under FC4.  My server is FC4 and it backs
itself and an RH7.3 machine up with no problems.  Only my FC5 clients have
issues.

I agree that allow_ypbind needs to be renamed/generalized.



--
		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]