Re: Attempted upgrade to Amanda 2.5.0: hangs in amcheck

On Tue, Apr 15, 2008 at 6:20 PM, Dustin J. Mitchell <dustin AT zmanda DOT com> 
wrote:
> On Tue, Apr 15, 2008 at 6:15 PM, FL <lengyel AT gmail DOT com> wrote:
> >  ... the wait completes and then
> >
> >  wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 5539
> >  --- SIGCHLD (Child exited) @ 0 (0) ---
> >  wait4(-1,
>
> Does this repeat?  It may be running the changer through a number of slots.
>
> If you use the '-f' flag to strace, it will trace the children, too.
> You should be able to see an 'exec' after the clones.  It will be a
> lot of data, but it's not too hard to search through.
>
>
> Dustin
>
> --
> Storage Software Engineer
> http://www.zmanda.com
>

Now I see something in /var/messages I did not see before: a SElinux alert.
I'll try setting  the boolean below.  This is probably  because amanda
is in ldap instead of /etc/passwd.

[root@opennms log]#  sealert -l 93bb144d-f3ca-4dfa-945c-b77c728f571e
Summary
    SELinux is preventing /usr/lib/amanda/amandad (amanda_t) "name_connect"
    access to <Unknown> (ldap_port_t).

Detailed Description
    SELinux denied access requested by /usr/lib/amanda/amandad. It is not
    expected that this access is required by /usr/lib/amanda/amandad and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "amanda_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P amanda_disable_trans=1."

    The following command will allow this access:
    setsebool -P amanda_disable_trans=1

Additional Information

Source Context                user_u:system_r:amanda_t
Target Context                system_u:object_r:ldap_port_t
Target Objects                None [ tcp_socket ]
Affected RPM Packages         amanda-client-2.5.0p2-4 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     opennms.gc.cuny.edu
Platform                      Linux opennms.gc.cuny.edu 2.6.18-8.1.15.el5 #1 SMP
                              Mon Oct 22 08:32:04 EDT 2007 i686 i686
Alert Count                   550
Line Numbers

Raw Audit Messages

avc: denied { name_connect } for comm="amandad" dest=389 egid=6 euid=1003
exe="/usr/lib/amanda/amandad" exit=-13 fsgid=6 fsuid=1003 gid=6 items=0 pid=7014
scontext=user_u:system_r:amanda_t:s0 sgid=6 subj=user_u:system_r:amanda_t:s0
suid=1003 tclass=tcp_socket tcontext=system_u:object_r:ldap_port_t:s0 tty=(none)
uid=1003