Bug 462284

Summary: SELinux is preventing amandad (amanda_t) "name_bind" to <Unknown> (port_t).
Product: [Fedora] Fedora Reporter: Julian C. Dunn <jdunn>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:05:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julian C. Dunn 2008-09-15 05:11:45 UTC
Description of problem:

SELinux alarms while backing up a F9 amanda client.

Version-Release number of selected component (if applicable):

amanda-client-2.5.2p1-11.fc9
selinux-policy-3.3.1-87.fc9

How reproducible:

Always

Steps to Reproduce:
1. Initiate amanda backup against filesystems on F9 host
2. Thousands of errors occur as follows.
3.
  
Actual results:

jupiter:/var/log$ sudo sealert -l 9e81b4af-83f6-48f1-8827-4827d9a9ea64

Summary:

SELinux is preventing amandad (amanda_t) "name_bind" to <Unknown> (port_t).

Detailed Description:

SELinux denied access requested by amandad. It is not expected that this access
is required by amandad and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:amanda_t:s0-s0:c0.c1023
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        amandad
Source Path                   /usr/lib/amanda/amandad
Port                          15313
Host                          jupiter.acf.aquezada.com
Source RPM Packages           amanda-client-2.5.2p1-11.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-87.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     jupiter.acf.aquezada.com
Platform                      Linux jupiter.acf.aquezada.com
                              2.6.26.3-29.fc9.i686 #1 SMP Wed Sep 3 03:42:27 EDT
                              2008 i686 i686
Alert Count                   6007
First Seen                    Mon Sep 15 00:47:55 2008
Last Seen                     Mon Sep 15 00:48:58 2008
Local ID                      9e81b4af-83f6-48f1-8827-4827d9a9ea64
Line Numbers                  

Raw Audit Messages            

host=jupiter.acf.aquezada.com type=AVC msg=audit(1221454138.253:7422): avc:  denied  { name_bind } for  pid=3673 comm="amandad" src=15313 scontext=system_u:system_r:amanda_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

host=jupiter.acf.aquezada.com type=SYSCALL msg=audit(1221454138.253:7422): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfefed20 a2=16450c a3=b804eee0 items=0 ppid=2244 pid=3673 auid=4294967295 uid=33 gid=6 euid=33 suid=33 fsuid=33 egid=6 sgid=6 fsgid=6 tty=(none) ses=4294967295 comm="amandad" exe="/usr/lib/amanda/amandad" subj=system_u:system_r:amanda_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-09-15 16:44:25 UTC
Is this a customized port?  Or part of a standard install?

# semanage  port -l | grep amanda
amanda_port_t                  tcp      10080, 10081, 10082, 10083
amanda_port_t                  udp      10080, 10081

If this is a customized port you can add it to amanda_port_t by executing

# semanage port -a -t amanda_port_t -p tcp 15313

If it is a standard port then I need to update the policy package.

Comment 2 Julian C. Dunn 2008-09-16 14:10:21 UTC
It's a standard install. However, upon examining the logs more I wonder if this bug is best assigned to the amanda owner.

/var/log/messages says this:

Sep 15 00:47:37 jupiter xinetd[2244]: START: amanda pid=3673 from=::ffff:192.168.5.7
Sep 15 00:47:38 jupiter setroubleshoot: SELinux is preventing the amandad (amanda_t) from binding to port 7481. For complete SELinux messages. run sealert -l da01281f-a98d-4e19-a20f-757f8574ee0f
Sep 15 00:47:38 jupiter setroubleshoot: SELinux is preventing the amandad (amanda_t) from binding to port 7482. For complete SELinux messages. run sealert -l da01281f-a98d-4e19-a20f-757f8574ee0f
Sep 15 00:47:38 jupiter setroubleshoot: SELinux is preventing the amandad (amanda_t) from binding to port 7483. For complete SELinux messages. run sealert -l da01281f-a98d-4e19-a20f-757f8574ee0f
Sep 15 00:47:38 jupiter setroubleshoot: SELinux is preventing the amandad (amanda_t) from binding to port 7484. For complete SELinux messages. run sealert -l da01281f-a98d-4e19-a20f-757f8574ee0f
Sep 15 00:47:38 jupiter setroubleshoot: SELinux is preventing the amandad (amanda_t) from binding to port 7485. For complete SELinux messages. run sealert -l da01281f-a98d-4e19-a20f-757f8574ee0f
Sep 15 00:47:38 jupiter setroubleshoot: SELinux is preventing the amandad (amanda_t) from binding to port 7486. For complete SELinux messages. run sealert -l da01281f-a98d-4e19-a20f-757f8574ee0f
Sep 15 00:47:38 jupiter setroubleshoot: SELinux is preventing the amandad (amanda_t) from binding to port 7487. For complete SELinux messages. run sealert -l da01281f-a98d-4e19-a20f-757f8574ee0f


... and so on, where the denied port # increments by one upon each failure. By the time I caught the error, it had incremented to 15313.

I have no idea why amandad might be doing this. The previous amanda, amanda-2.5.2p1-10.fc9.i386, worked fine -- this is amanda-2.5.2p1-11.fc9.i386

Comment 3 Daniel Walsh 2008-09-16 15:24:26 UTC
I will allow it to bind to generic ports.

Fixed in selinux-policy-3.3.1-91.fc9.noarch

Comment 4 Daniel Walsh 2008-11-17 22:05:45 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.