Amanda client AVC

Matthew Saltzman mjs at ces.clemson.edu
Sun Apr 16 18:19:13 UTC 2006 

On Mon, 10 Apr 2006, Stephen Smalley wrote:

> On Mon, 2006-04-10 at 10:17 -0400, Matthew Saltzman wrote:
>> On Thu, 6 Apr 2006, Stephen Smalley wrote:
>>
>>> On Wed, 2006-04-05 at 18:42 -0400, Matthew Saltzman wrote:
>>>> My amanda clients are seeing the following:
>>>>
>>>>      kernel: audit(1144217150.855:17): avc:  denied  { name_bind } for
>>>>      pid=3707 comm="sendbackup" src=697
>>>>      scontext=system_u:system_r:amanda_t:s0
>>>>      tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
>>>>
>>>> And they don't work.
>>>>
>>>> How to fix, please?  TIA.
>>>
>>> port 697 is listed as uuidgen in /etc/services, so specifically mapping
>>> it to an amanda port type and allowing amanda to bind to it seems wrong.
>>> If this is just a result of probing for any available low port for NIS,
>>> then the allow_ypbind boolean is likely relevant; try enabling it.
>>
>> That stops the denial messages, but Amanda still isn't working.  It fails
>> with "too many dumper retry".  I'm not getting denials, though, so I
>> suppose that must be something else?
>>
>> (Running nscd doesn't seem to help matters.)
>
> Try installing the enableaudit.pp policy module, i.e.
> 	semodule -b /usr/share/selinux/targeted/enableaudit.pp
> and retrying, then recheck your audit messages for anything relevant
> (but note that there may be a lot of irrelevant audit messages enabled
> by it).
>
> That is the equivalent in FC5 to the old 'make enableaudit load' on
> policy sources in FC4 and FC3.
> Then you revert to the normal policy via
> 	semodule -b /usr/share/selinux/targeted/base.pp

Well, I feel silly now.  The problem was failure to include 
ip_conntrack_amanda in /etc/sysconfig/iptables-config.  I always seem to 
forget that.  Is there a reason it shouldn't be automated somehow when 
amanda or amanda-client is installed?

The AVC still reports denied (I usually get several, but with different 
port numbers), but amanda runs anyway.

"setsebool allow_ypbind 1" stops the denial messages.

BTW, audit2allow for that AVC says "allow amanda_t 
reserved_port_t:tcp_socket name_bind".  I haven't tried that yet, as I 
wasn't sure whether it or the boolean was the right thing to do, and I 
wasn't sure exactly what the right command was to accomplish the 
suggested change.



>
>> Also, this seems strange as a solution as this network doesn't run NIS.  I
>> do have all the amanda-related ports open on both server and client.  I
>> had no problems running amanda under FC4.  My server is FC4 and it backs
>> itself and an RH7.3 machine up with no problems.  Only my FC5 clients have
>> issues.
>
> I agree that allow_ypbind needs to be renamed/generalized.
>
>

-- 
 		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

More information about the fedora-selinux-list mailing list