A couple selinux amanda issues:

#1 - amanda index files:

Sep  3 09:48:24 saga kernel: audit(1157298504.254:77): avc:  denied  { write }
for  pid=21352 comm="sh" name="_export_home1" dev=dm-2 ino=111289
scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir
Sep  3 09:48:24 saga kernel: audit(1157298504.254:78): avc:  denied  { add_name
} for  pid=21352 comm="sh" name="20060901_0"
scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir
Sep  3 09:48:38 saga kernel: audit(1157298518.341:80): avc:  denied  { write }
for  pid=21352 comm="sort" name="20060901_0" dev=dm-2 ino=111367
scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file

amanda keeps compressed index files in
/var/lib/amanda/<BackupSet>/index/<host>/<disk>.  The index server uncompresses
them into that directory as well (aparently).  Looks like the file context rule
needs a wild card for the <BackupSet>:

/var/lib/amanda/index      gen_context(system_u:object_r:amanda_data_t,s0)

should be something like

/var/lib/amanda/.*/index      gen_context(system_u:object_r:amanda_data_t,s0)


#2 - tape server log file

Sep  3 09:50:53 saga kernel: audit(1157298653.964:85): avc:  denied  { append }
for  pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948
scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file
Sep  3 10:05:06 saga kernel: audit(1157299506.722:92): avc:  denied  {
remove_name } for  pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948
scontext=system_u:system_r:amanda_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir
Sep  3 10:05:06 saga kernel: audit(1157299506.726:93): avc:  denied  { unlink }
for  pid=21557 comm="amidxtaped" name="log" dev=dm-2 ino=111948
scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file

The tape server (started from xinetd) write a log file to
/var/lib/amanda/<BackupSet>/log, same as the normal runs, partially as a lock file.

It also seems to write an info file:

Sep  5 09:38:41 saga kernel: audit(1157470721.476:113): avc:  denied  { write }
for  pid=14700 comm="amidxtaped" name="info" dev=dm-0 ino=32048
scontext=system_u:system_r:amanda_t:s0 tcontext=user_u:object_r:default_t:s0
tclass=file

into whatever directory is specified in amanda.conf as the tape device using the
file driver, e.g.:

tapedev "file:/export/amanda/Data"

I suppose I need to label this directory as amanda_data_t?


#3 - disk changer script:

Sep  3 09:50:54 saga kernel: audit(1157298654.084:86): avc:  denied  { write }
for  pid=21560 comm="chg-disk" name="Data" dev=dm-0 ino=80093
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_config_t:s0 tclass=dir
Sep  3 09:50:54 saga kernel: audit(1157298654.084:87): avc:  denied  { write }
for  pid=21560 comm="chg-disk" name="changer.conf-access" dev=dm-0 ino=80275
scontext=system_u:system_r:amanda_t:s0
tcontext=user_u:object_r:amanda_config_t:s0 tclass=file
Sep  3 09:50:54 saga kernel: audit(1157298654.084:88): avc:  denied  { write }
for  pid=21560 comm="chg-disk" name="changer.conf-clean" dev=dm-0 ino=85549
scontext=system_u:system_r:amanda_t:s0
tcontext=system_u:object_r:amanda_config_t:s0 tclass=file

The disk changer script manages configuration files in a location specified in
amanda.conf.  Unfortunately, this could be anywhere, but
/var/lib/amanda/<BackupSet>/ seems to be a good location.


#4 - also, this context:

/var/lib/amanda/disklist        --     
gen_context(system_u:object_r:amanda_data_t,s0)

seems wrong.  disklist is usually at /etc/amanda/<BackupSet>/disklist.  Also,
it's read only, so I think the current rule for /etc/amanda works and this can
be removed.