Bug 462681 - amanda-client-2.5.2p1-11.fc9.i386 fails with AVC denied, previous version worked
amanda-client-2.5.2p1-11.fc9.i386 fails with AVC denied, previous version worked
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: amanda (Show other bugs)
9
All Linux
high Severity medium
: ---
: ---
Assigned To: Daniel Novotny
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-18 05:40 EDT by Patrick C. F. Ernzer
Modified: 2009-04-06 09:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-24 19:51:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrick C. F. Ernzer 2008-09-18 05:40:01 EDT
Description of problem:
since upgrading amanda-client on Sept 11th, my nightly backups fail with AVC deny tclass=tcp_socket

Version-Release number of selected component (if applicable):
amanda-2.5.2p1-11.fc9

How reproducible:
always

Steps to Reproduce:
1. amanda server is amanda-2.4.4p3-1.21as.1
2. F9 release clients run fine
3. upgrade to amanda-client-2.5.2p1-11.fc9
  
Actual results:
nightly backups fail

Expected results:
nightly backups continue to work

Additional info:
/var/lib/amanda/.amandahosts should be correct, it contains
backup.example.com amanda amdump amandabackup
(edited after update as username changed, will be cleaned once I can get backups running, still unsure what username is with old server but modern client, not important for now)


/etc/amanda/amanda-client.conf contains
unreserved-tcp-port 10080,10083
(added during testing as logs showed amanda-client was trying all ports and I ofc got loads of AVC denied for the ports it has no business trying)


SELinux is in enforcing & targeted mode


# semanage port -l | grep amanda
amanda_port_t                  tcp      10080, 10081, 10082, 10083
amanda_port_t                  udp      10080, 10081


Bug 462226 may be related, let's see what the reporter replies to https://bugzilla.redhat.com/show_bug.cgi?id=462226#c2
(the suggestion to use the falg is from Bug 244916)


Sample Raw Audit Messages            

host=morn.internal.paranoid.com type=AVC msg=audit(1221730196.453:6747): avc:  denied  { name_bind } for  pid=18824 comm="amandad" src=10082 scontext=system_u:system_r:amanda_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_port_t:s0 tclass=tcp_socket

host=morn.internal.paranoid.com type=SYSCALL msg=audit(1221730196.453:6747): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bff77da0 a2=16450c a3=b8640c50 items=0 ppid=2248 pid=18824 auid=4294967295 uid=33 gid=6 euid=33 suid=33 fsuid=33 egid=6 sgid=6 fsgid=6 tty=(none) ses=4294967295 comm="amandad" exe="/usr/lib/amanda/amandad" subj=system_u:system_r:amanda_t:s0-s0:c0.c1023 key=(null)


I get these for src=10080, src=10081 and src=10082 (strangely enough no 10083 in the audit.log)
Comment 2 Patrick C. F. Ernzer 2008-09-18 05:41:28 EDT
oops, Fedora release is 9, not rawhide, fixing
Comment 3 Daniel Novotny 2008-09-18 06:06:32 EDT
hello, I think it relates with my fix of bug 449764 - I added --with-tcpportrange=1025,65535 to %configure options to prevent the default being 0,0 -as described in the bug- maybe that was not a good idea...
Comment 4 Daniel Novotny 2008-09-22 10:30:55 EDT
Patrick, what unreserved port range do you normally use? according to http://archives.zmanda.com/amanda-archives/viewtopic.php?t=4176&sid=c1c71386059a46dee45dada40f588325 the default should be 1025,65535 but you have 10080,10083 - should I use this instead? or should I just change the example configuration file, so every user will know they have to set it to "something" themselves? The compiled-in default was "0,0" for some reason and that is why I changed this in the latest build.
Comment 5 Patrick C. F. Ernzer 2008-09-22 14:56:26 EDT
Daniel,
(In reply to comment #4)
> Patrick, what unreserved port range do you normally use?

Until the version prior to amanda-2.5.2p1-11.fc9 I had none set at all on the client side.

> according to
> http://archives.zmanda.com/amanda-archives/viewtopic.php?t=4176&sid=c1c71386059a46dee45dada40f588325
> the default should be 1025,65535 but you have 10080,10083 - should I use this
> instead?

No, that is only testing on my side and I have entered that range after backups started to fail. (Basically while trying to find if the failure introduced by package update can be fixed with a configuration. As 10080,10083 does not make backup work, I do not thing you should set that.

> or should I just change the example configuration file, so every user
> will know they have to set it to "something" themselves? The compiled-in
> default was "0,0" for some reason and that is why I changed this in the latest
> build.

I think we need more debugging before pushing a patch. I have another F9 box (also failing since the package got updated), doyou agree that it would be helpful to just downgrade amanda-client so we can exclude any other of the F9 updates introduces the failure (I'd guess yes, but want to ask)
Comment 6 Daniel Novotny 2008-09-23 05:11:55 EDT
Patrick,

> I think we need more debugging before pushing a patch. I have another F9 box
> (also failing since the package got updated), doyou agree that it would be
> helpful to just downgrade amanda-client so we can exclude any other of the F9
> updates introduces the failure (I'd guess yes, but want to ask)

Yes, downgrade the package and see if this was the case: you can see from the changelog of the RPM, that in the new version I used a new ./configure option and no other change was made (except the "amandabackup" username correction in one of the config files). I may revoke the "./configure" change in the next release and see if bug 449764 can be corrected in some way that does not break your configuration...
Comment 7 Craig Goodyear 2008-09-23 16:28:16 EDT
I was having the same problem.  Downgrading amanda to 
amanda-2.5.2p1-10.fc9.i386 returning my system to normal 
operation.
Comment 8 Craig Goodyear 2008-09-23 16:33:09 EDT
(In reply to comment #7)

The above comment should have said:

I was having the same problem.  Downgrading amanda to 
amanda-2.5.2p1-10.fc9.i386 returned my system to normal 
operation.

Sorry for the confusion.
Comment 9 Patrick C. F. Ernzer 2008-09-24 09:38:11 EDT
(In reply to comment #6)

I have downgraded to
amanda-client-2.5.2p1-10.fc9.i386
amanda-2.5.2p1-10.fc9.i386

and removed /etc/amanda/amanda-client.conf

will let you know how it goes. With Craig from Comments #7 and #8 that will give you two people (just in case I missed something when bvacking out my attempts to make 2.5.2p1-11.fc9 work.

More news later this week or early next week
Comment 10 Daniel Novotny 2008-09-25 08:36:00 EDT
okay, I made a test build with a new approach to solve bug #449764: just change the config instead of ./configure option... maybe that will solve *this* bug

the rpms are here, if you want to try:

http://people.fedoraproject.org/~dnovotny/462681/
Comment 11 Patrick C. F. Ernzer 2008-09-30 15:06:18 EDT
as described in comment #9 amanda-client has been run successfully for the last few days.

Will now install 2.5.2p1-11.462681.fc9 (from comment #10) and report back in a few days.
Comment 12 Patrick C. F. Ernzer 2008-10-08 05:41:51 EDT
2.5.2p1-11.462681.fc9 has been working fine.
Comment 13 Daniel Novotny 2008-10-15 10:05:51 EDT
created amanda-2.5.2p1-12.fc9 with this solution
Comment 14 Fedora Update System 2008-10-15 10:14:23 EDT
amanda-2.5.2p1-12.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/amanda-2.5.2p1-12.fc9
Comment 15 Fedora Update System 2008-10-20 16:27:18 EDT
amanda-2.5.2p1-12.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update amanda'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8914
Comment 16 Fedora Update System 2008-10-24 19:51:35 EDT
amanda-2.5.2p1-12.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Markus Schade 2009-04-06 09:47:09 EDT
The problem is, without a defined port range, the default ist 0:0, so if one tries to run amrecover no ports to use are available. Thus you get:

amrecover: time 0.013: connect_port: Skip port 0: Owned by spr-itunes.
amrecover: time 0.013: connect_portrange: all ports between 0 and 0 busy
amrecover: time 0.014: stream_client: Could not bind to port in range 0-0.

So I would suggest adding the line "unreserved-tcp-port 1025,65535" to amanda-client.conf. Specifically to an /etc/amanda/amanda-client.conf as that one is read for all amrecover commands.

Note You need to log in before you can comment on or make changes to this bug.