Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: 2.5.0b1 test reports

  1. #11
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    124

    Default 2.5.0b1 SELinux targeted mode testing

    My understanding is that FC4 only enforces targeted policy which only protectes a few daemons and amanda is not one of them. So amanda should work fine even when selinux (default targeted policy) is enabled.
    One data point, I enabled SELinux's targeted policy:

    [ktill@boston ~]$ sestatus
    SELinux status: enabled
    SELinuxfs mount: /selinux
    Current mode: permissive
    Mode from config file: permissive
    Policy version: 18
    Policy from config file:targeted

    Policy booleans:
    allow_ypbind inactive
    dhcpd_disable_trans inactive
    httpd_disable_trans inactive
    httpd_enable_cgi active
    httpd_enable_homedirs active
    httpd_ssi_exec active
    httpd_tty_comm inactive
    httpd_unified active
    mysqld_disable_trans inactive
    named_disable_trans inactive
    named_write_master_zonesinactive
    nscd_disable_trans inactive
    ntpd_disable_trans inactive
    portmap_disable_trans inactive
    postgresql_disable_transinactive
    snmpd_disable_trans inactive
    squid_disable_trans inactive
    syslogd_disable_trans inactive
    winbind_disable_trans inactive
    ypbind_disable_trans inactive

    amanda( 2.5.0b1) backup and recover work fine.
    Has anyone used amanda on SELinux when STRICT policy is enforced?

  2. #12

    Default RHEL 4 + SELinux enforcing

    First the software details:
    Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
    selinux-policy-targeted-1.17.30-2.110
    selinux-policy-targeted-sources-1.17.30-2.110
    libselinux-1.19.1-7
    amanda-2.4.4p3-1
    amanda-client-2.4.4p3-1
    kernel-smp-2.6.9-5.0.5.EL

    The output from sestatus:
    SELinux status: enabled
    SELinuxfs mount: /selinux
    Current mode: enforcing
    Mode from config file: enforcing
    Policy version: 18
    Policy from config file:targeted

    Policy booleans:
    allow_ypbind active
    dhcpd_disable_trans inactive
    httpd_builtin_scripting active
    httpd_disable_trans inactive
    httpd_enable_cgi active
    httpd_enable_homedirs active
    httpd_ssi_exec active
    httpd_tty_comm inactive
    httpd_unified active
    mysqld_disable_trans inactive
    named_disable_trans inactive
    named_write_master_zonesinactive
    nscd_disable_trans inactive
    ntpd_disable_trans inactive
    pegasus_disable_trans inactive
    portmap_disable_trans inactive
    postgresql_disable_transinactive
    snmpd_disable_trans inactive
    squid_disable_trans inactive
    syslogd_disable_trans inactive
    use_nfs_home_dirs inactive
    use_samba_home_dirs inactive
    use_syslogng inactive
    winbind_disable_trans inactive
    ypbind_disable_trans inactive

    While running SELinux permissive does allow amanda to connect and do backups, enforcing stops amanda cold in her tracks.

    I'm forging ahead with reading, searching, and experimenting but if anyone has a canned solution, I'd appreciate it.

    Thanks in advance!

  3. #13

    Default SELinux testing

    bwil150n,

    Are you using 2.5.0b1 or 2.4.4p3 rpms from Redhat?

    What do you mean "stops amanda cold in her tracks"? I guess you have
    enabled targetted policy. Did you have any rules specific to amanda.
    Did the amdump fails or restore operation fail? Did you try amcheck?
    More information on the failure would be appreciated.

    Kevin has tested 2.5.0b1 and 2.5.0b2 images with SE Linux targetted policy
    enabled (See his reports earlier in the thread).

    Thanks,
    Paddy

  4. #14

    Default Amanda + SELinux targeted policy, enforcing mode.

    Paddy,

    I'm running 2.4.5p1-2 on Debian 2.4.25 on a separate network, which means this is probably in the wrong forum.

    Proceeding anyway with names changed to protect...

    FAILURE AND STRANGE DUMP SUMMARY:
    ajax / lev 0 FAILED 20060228 [too many dumper retry]
    brillo / lev 0 FAILED 20060228 [too many dumper retry]

    Using /var/lib/amanda/DailySet1/amdump.1 from Wed Mar 1 00:45:01 PST 2006

    ajax:/ 0 driver: (aborted:could not connect to data port: Connection refused)(too many dumper retry)
    (same error for brillo)

    Amanda Tape Server Host Check
    -----------------------------
    Holding disk /backup/amanda: 217256088 kB disk space available, using 216207512 kB
    amcheck-server: slot 9: date 20060201 label C0000009 (exact label match)
    NOTE: skipping tape-writable test
    Tape C0000009 label ok
    NOTE: info dir /var/lib/amanda/DailySet1/curinfo/ajax: does not exist
    NOTE: it will be created on the next run.

    I know that amanda works if selinux is set to permissive, but my security model requires enforcing. I have tested against a permissive configuration and saw the audit trails regarding amanda so I'm certain amanda is not the problem.

    As far as the selinux configuration goes, it is unmodified from the policy-targeted rpm. I'm working with policy 18 specifically.

    I did read Kevin's report. It shows selinux is enabled, but running in permissive mode, not enforcing mode, making those results invalid in this case.

    In searching the SELinux threads I have seen bits and pieces of patchs where amanda.te is mentioned, however that particular file does not ship with the rpm. I'm left to wonder if there is anyone on the board that has a working setup that fits the criteria I've spelled out in this and previous posts?

    Thanks!
    Last edited by bwil150n; March 1st, 2006 at 12:35 PM.

  5. #15
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    124

    Default SELinux targetted enforcing mode

    Hi,

    I now see some problem by turning on the enforcing mode with targetted policy.

    It's:
    Mar 4 07:57:07 localhost kernel: audit(1141487827.180:0): avc: denied { associate } for pid=3176 exe=/usr/lib/amanda/sendsize name=ktill2.zmanda.com_home_ktill_0.new scontext=user_ubject_r:unlabeled_t tcontext=system_ubject_r:fs_t tclass=filesystem
    Mar 4 07:57:07 localhost kernel: audit(1141487827.188:0): avc: denied { associate } for pid=3176 exe=/usr/lib/amanda/sendsize name=ktill2.zmanda.com_home_ktill_1.new scontext=user_ubject_r:unlabeled_t tcontext=system_ubject_r:fs_t tclass=filesystem

    audit2allow indicates:
    allow unlabeled_t fs_t:filesystem { associate };

    I'll see if what we can do on the Amanda side. Will let you know ASAP.

    --Kevin

  6. #16
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    124

    Default

    [ croos post from "suggestion box" ]
    Hi,

    my understanding is that the tagetted policy has no enforcement on Amanda per se. I was playing with the "strict" policy, as a result, the guntar-list directory is labled. Once I removed the label by doing "chcon -R user_ubject_r:usr_t guntar-list-directory". Amanda is working again running in targetted enforced mode.

    Check your /tmp/amanda/sendsize.*debug file to see if it has problem opening the gnutar-list file.

    --Kevin

  7. #17

    Default

    Quote Originally Posted by ktill
    [ croos post from "suggestion box" ]
    Hi,

    my understanding is that the tagetted policy has no enforcement on Amanda per se. I was playing with the "strict" policy, as a result, the guntar-list directory is labled. Once I removed the label by doing "chcon -R user_ubject_r:usr_t guntar-list-directory". Amanda is working again running in targetted enforced mode.

    Check your /tmp/amanda/sendsize.*debug file to see if it has problem opening the gnutar-list file.

    --Kevin

    Apparently RHEL4 puts the gnutar stuff in /var/log/amanda -- or at least that is where I found the sendsize...debug files. Anyway, I ran chcon -R user_ubject_r:usr_t /var/log/amanda and I will wait for the results tomorrow. Just for good measure I made a /tmp/amanda and ran chcon on that one too. I'll report back the results tomorrow morning. I'm hoping for good things.

    Brad

  8. #18
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    124

    Default

    "Apparently RHEL4 puts the gnutar stuff in /var/log/amanda -- or at least that is where I found the sendsize...debug files."

    guntar-lists is not a log file, it's a directory where file contains list of files to be backed up on the client. I think RHEL4 puts them in /var/lib/amanda/gnutar-lists/.

    If it's still not working right tomorrow, report the amanda-related AVC message on /var/log/messages and errors in /var/log/amanda/sendsize.*.debug.

    Thanks!

    --Kevin

  9. #19

    Default



    Duly noted and adjustments made. News at 11.

    Brad

  10. #20

    Default

    The backup still failed. Please see the attachment for details. ajax is the client and flagpole is the server.
    Attached Files Attached Files

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •