On Tue, Apr 15, 2008 at 6:20 PM, Dustin J. Mitchell <dustin AT zmanda DOT com>
wrote:
> On Tue, Apr 15, 2008 at 6:15 PM, FL <lengyel AT gmail DOT com> wrote:
> > ... the wait completes and then
> >
> > wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 5539
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> > wait4(-1,
>
> Does this repeat? It may be running the changer through a number of slots.
>
> If you use the '-f' flag to strace, it will trace the children, too.
> You should be able to see an 'exec' after the clones. It will be a
> lot of data, but it's not too hard to search through.
>
>
> Dustin
>
> --
> Storage Software Engineer
> http://www.zmanda.com
>
Now I see something in /var/messages I did not see before: a SElinux alert.
I'll try setting the boolean below. This is probably because amanda
is in ldap instead of /etc/passwd.
[root@opennms log]# sealert -l 93bb144d-f3ca-4dfa-945c-b77c728f571e
Summary
SELinux is preventing /usr/lib/amanda/amandad (amanda_t) "name_connect"
access to <Unknown> (ldap_port_t).
Detailed Description
SELinux denied access requested by /usr/lib/amanda/amandad. It is not
expected that this access is required by /usr/lib/amanda/amandad and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown>. There is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "amanda_disable_trans" boolean to true will disable SELinux
protection this application: "setsebool -P amanda_disable_trans=1."
The following command will allow this access:
setsebool -P amanda_disable_trans=1
Additional Information
Source Context user_u:system_r:amanda_t
Target Context system_u:object_r:ldap_port_t
Target Objects None [ tcp_socket ]
Affected RPM Packages amanda-client-2.5.0p2-4 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.disable_trans
Host Name opennms.gc.cuny.edu
Platform Linux opennms.gc.cuny.edu 2.6.18-8.1.15.el5 #1 SMP
Mon Oct 22 08:32:04 EDT 2007 i686 i686
Alert Count 550
Line Numbers
Raw Audit Messages
avc: denied { name_connect } for comm="amandad" dest=389 egid=6 euid=1003
exe="/usr/lib/amanda/amandad" exit=-13 fsgid=6 fsuid=1003 gid=6 items=0 pid=7014
scontext=user_u:system_r:amanda_t:s0 sgid=6 subj=user_u:system_r:amanda_t:s0
suid=1003 tclass=tcp_socket tcontext=system_u:object_r:ldap_port_t:s0 tty=(none)
uid=1003
|