Bug 462681

Summary:	amanda-client-2.5.2p1-11.fc9.i386 fails with AVC denied, previous version worked
Product:	[Fedora] Fedora	Reporter:	Patrick C. F. Ernzer <pcfe>
Component:	amanda	Assignee:	Daniel Novotny <dnovotny>
Status:	CLOSED NEXTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	high
Version:	9	CC:	goodyca48, markus.schade
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2008-10-24 23:51:38 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Patrick C. F. Ernzer 2008-09-18 09:40:01 UTC

Description of problem:
since upgrading amanda-client on Sept 11th, my nightly backups fail with AVC deny tclass=tcp_socket

Version-Release number of selected component (if applicable):
amanda-2.5.2p1-11.fc9

How reproducible:
always

Steps to Reproduce:
1. amanda server is amanda-2.4.4p3-1.21as.1
2. F9 release clients run fine
3. upgrade to amanda-client-2.5.2p1-11.fc9
  
Actual results:
nightly backups fail

Expected results:
nightly backups continue to work

Additional info:
/var/lib/amanda/.amandahosts should be correct, it contains
backup.example.com amanda amdump amandabackup
(edited after update as username changed, will be cleaned once I can get backups running, still unsure what username is with old server but modern client, not important for now)


/etc/amanda/amanda-client.conf contains
unreserved-tcp-port 10080,10083
(added during testing as logs showed amanda-client was trying all ports and I ofc got loads of AVC denied for the ports it has no business trying)


SELinux is in enforcing & targeted mode


# semanage port -l | grep amanda
amanda_port_t                  tcp      10080, 10081, 10082, 10083
amanda_port_t                  udp      10080, 10081


Bug 462226 may be related, let's see what the reporter replies to https://bugzilla.redhat.com/show_bug.cgi?id=462226#c2
(the suggestion to use the falg is from Bug 244916)


Sample Raw Audit Messages            

host=morn.internal.paranoid.com type=AVC msg=audit(1221730196.453:6747): avc:  denied  { name_bind } for  pid=18824 comm="amandad" src=10082 scontext=system_u:system_r:amanda_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_port_t:s0 tclass=tcp_socket

host=morn.internal.paranoid.com type=SYSCALL msg=audit(1221730196.453:6747): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bff77da0 a2=16450c a3=b8640c50 items=0 ppid=2248 pid=18824 auid=4294967295 uid=33 gid=6 euid=33 suid=33 fsuid=33 egid=6 sgid=6 fsgid=6 tty=(none) ses=4294967295 comm="amandad" exe="/usr/lib/amanda/amandad" subj=system_u:system_r:amanda_t:s0-s0:c0.c1023 key=(null)


I get these for src=10080, src=10081 and src=10082 (strangely enough no 10083 in the audit.log)

Comment 2 Patrick C. F. Ernzer 2008-09-18 09:41:28 UTC

oops, Fedora release is 9, not rawhide, fixing

Comment 3 Daniel Novotny 2008-09-18 10:06:32 UTC

hello, I think it relates with my fix of bug 449764 - I added --with-tcpportrange=1025,65535 to %configure options to prevent the default being 0,0 -as described in the bug- maybe that was not a good idea...

Comment 4 Daniel Novotny 2008-09-22 14:30:55 UTC

Patrick, what unreserved port range do you normally use? according to http://archives.zmanda.com/amanda-archives/viewtopic.php?t=4176&sid=c1c71386059a46dee45dada40f588325 the default should be 1025,65535 but you have 10080,10083 - should I use this instead? or should I just change the example configuration file, so every user will know they have to set it to "something" themselves? The compiled-in default was "0,0" for some reason and that is why I changed this in the latest build.

Comment 5 Patrick C. F. Ernzer 2008-09-22 18:56:26 UTC

Daniel,
(In reply to comment #4)
> Patrick, what unreserved port range do you normally use?

Until the version prior to amanda-2.5.2p1-11.fc9 I had none set at all on the client side.

> according to
> http://archives.zmanda.com/amanda-archives/viewtopic.php?t=4176&sid=c1c71386059a46dee45dada40f588325
> the default should be 1025,65535 but you have 10080,10083 - should I use this
> instead?

No, that is only testing on my side and I have entered that range after backups started to fail. (Basically while trying to find if the failure introduced by package update can be fixed with a configuration. As 10080,10083 does not make backup work, I do not thing you should set that.

> or should I just change the example configuration file, so every user
> will know they have to set it to "something" themselves? The compiled-in
> default was "0,0" for some reason and that is why I changed this in the latest
> build.

I think we need more debugging before pushing a patch. I have another F9 box (also failing since the package got updated), doyou agree that it would be helpful to just downgrade amanda-client so we can exclude any other of the F9 updates introduces the failure (I'd guess yes, but want to ask)

Comment 6 Daniel Novotny 2008-09-23 09:11:55 UTC

Patrick,

> I think we need more debugging before pushing a patch. I have another F9 box
> (also failing since the package got updated), doyou agree that it would be
> helpful to just downgrade amanda-client so we can exclude any other of the F9
> updates introduces the failure (I'd guess yes, but want to ask)

Yes, downgrade the package and see if this was the case: you can see from the changelog of the RPM, that in the new version I used a new ./configure option and no other change was made (except the "amandabackup" username correction in one of the config files). I may revoke the "./configure" change in the next release and see if bug 449764 can be corrected in some way that does not break your configuration...

Comment 7 Craig Goodyear 2008-09-23 20:28:16 UTC

I was having the same problem.  Downgrading amanda to 
amanda-2.5.2p1-10.fc9.i386 returning my system to normal 
operation.

Comment 8 Craig Goodyear 2008-09-23 20:33:09 UTC

(In reply to comment #7)

The above comment should have said:

I was having the same problem.  Downgrading amanda to 
amanda-2.5.2p1-10.fc9.i386 returned my system to normal 
operation.

Sorry for the confusion.

Comment 9 Patrick C. F. Ernzer 2008-09-24 13:38:11 UTC

(In reply to comment #6)

I have downgraded to
amanda-client-2.5.2p1-10.fc9.i386
amanda-2.5.2p1-10.fc9.i386

and removed /etc/amanda/amanda-client.conf

will let you know how it goes. With Craig from Comments #7 and #8 that will give you two people (just in case I missed something when bvacking out my attempts to make 2.5.2p1-11.fc9 work.

More news later this week or early next week

Comment 10 Daniel Novotny 2008-09-25 12:36:00 UTC

okay, I made a test build with a new approach to solve bug #449764: just change the config instead of ./configure option... maybe that will solve *this* bug

the rpms are here, if you want to try:

http://people.fedoraproject.org/~dnovotny/462681/

Comment 11 Patrick C. F. Ernzer 2008-09-30 19:06:18 UTC

as described in comment #9 amanda-client has been run successfully for the last few days.

Will now install 2.5.2p1-11.462681.fc9 (from comment #10) and report back in a few days.

Comment 12 Patrick C. F. Ernzer 2008-10-08 09:41:51 UTC

2.5.2p1-11.462681.fc9 has been working fine.

Comment 13 Daniel Novotny 2008-10-15 14:05:51 UTC

created amanda-2.5.2p1-12.fc9 with this solution

Comment 14 Fedora Update System 2008-10-15 14:14:23 UTC

amanda-2.5.2p1-12.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/amanda-2.5.2p1-12.fc9

Comment 15 Fedora Update System 2008-10-20 20:27:18 UTC

amanda-2.5.2p1-12.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update amanda'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8914

Comment 16 Fedora Update System 2008-10-24 23:51:35 UTC

amanda-2.5.2p1-12.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Markus Schade 2009-04-06 13:47:09 UTC

The problem is, without a defined port range, the default ist 0:0, so if one tries to run amrecover no ports to use are available. Thus you get:

amrecover: time 0.013: connect_port: Skip port 0: Owned by spr-itunes.
amrecover: time 0.013: connect_portrange: all ports between 0 and 0 busy
amrecover: time 0.014: stream_client: Could not bind to port in range 0-0.

So I would suggest adding the line "unreserved-tcp-port 1025,65535" to amanda-client.conf. Specifically to an /etc/amanda/amanda-client.conf as that one is read for all amrecover commands.