Amanda client AVC

Stephen Smalley sds at tycho.nsa.gov
Mon Apr 10 14:27:59 UTC 2006


On Mon, 2006-04-10 at 10:17 -0400, Matthew Saltzman wrote:
> On Thu, 6 Apr 2006, Stephen Smalley wrote:
> 
> > On Wed, 2006-04-05 at 18:42 -0400, Matthew Saltzman wrote:
> >> My amanda clients are seeing the following:
> >>
> >>      kernel: audit(1144217150.855:17): avc:  denied  { name_bind } for
> >>      pid=3707 comm="sendbackup" src=697
> >>      scontext=system_u:system_r:amanda_t:s0
> >>      tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
> >>
> >> And they don't work.
> >>
> >> How to fix, please?  TIA.
> >
> > port 697 is listed as uuidgen in /etc/services, so specifically mapping
> > it to an amanda port type and allowing amanda to bind to it seems wrong.
> > If this is just a result of probing for any available low port for NIS,
> > then the allow_ypbind boolean is likely relevant; try enabling it.
> 
> That stops the denial messages, but Amanda still isn't working.  It fails 
> with "too many dumper retry".  I'm not getting denials, though, so I 
> suppose that must be something else?
> 
> (Running nscd doesn't seem to help matters.)

Try installing the enableaudit.pp policy module, i.e.
	semodule -b /usr/share/selinux/targeted/enableaudit.pp
and retrying, then recheck your audit messages for anything relevant
(but note that there may be a lot of irrelevant audit messages enabled
by it).

That is the equivalent in FC5 to the old 'make enableaudit load' on
policy sources in FC4 and FC3.
Then you revert to the normal policy via
	semodule -b /usr/share/selinux/targeted/base.pp

> Also, this seems strange as a solution as this network doesn't run NIS.  I 
> do have all the amanda-related ports open on both server and client.  I 
> had no problems running amanda under FC4.  My server is FC4 and it backs 
> itself and an RH7.3 machine up with no problems.  Only my FC5 clients have 
> issues.

I agree that allow_ypbind needs to be renamed/generalized.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list