Re: SEL+RHEL4+Amanda, targeted policy 18, enforcing

[Brad Willson <bwil150n@u.washington.edu>]

Stephen Smalley wrote:

>On Mon, 2006-03-06 at 22:01 -0800, Brad Willson wrote:
>  
>
>>Running SELinux enforcing mode does not allow amanda to connect and do
>>backups.
>>
>>I'm a newbie at SELinux in dire need of some straightforward answers.
>>    
>>
>
>What 'avc:  denied' messages are you getting in /var/log/messages
>or /var/log/audit/audit.log?
>
>  
>
That depends on the machine.  One box reports no 'avc:  denied' messages 
whatsoever while on another there are over 4000 entries, both using 
policy.18.  Is there a quick and dirty way of turning on auditing?  
Neither machine has an audit.log.

>>Following the logic that named.fc needs a companion named.te, the first
>>thing I have noticed is the lack of an amanda.te file in this particular
>>distribution.  What I find odd is there are several diffs on this list
>>specifically for amanda.te.  I have located what appears to be a
>>complete amanda.te file from another distribution, but when I try to
>>recompile the policy, it spews errors then fails, e.g.
>>    
>>
>
>RHEL4 targeted policy didn't include the amanda policy.  Targeted policy
>started as a very small subset of the overall example policy, but has
>grown significantly since RHEL4 was released (but those changes are
>feeding into Fedora and should be included in future RHEL releases, not
>RHEL4 updates, IIUC).  See 
>http://fedoraproject.org/wiki/SELinux/
>
>  
>
>>Building file_contexts ...
>>/usr/bin/checkpolicy -o policy.18 policy.conf
>>/usr/bin/checkpolicy:  loading policy configuration from policy.conf
>>domains/program/amanda.te:143:ERROR 'syntax error' at token
>>'can_network_server' on line 4181:
>>    
>>
>
>This reflects the fact that the amanda.te file you grabbed uses a macro
>(can_network_server) that didn't exist in the policy at the time RHEL4
>was created.
>  
>
Makes good sense. 

>  
>
>>Since the first send bounced back, I also tried strict/enforcing and 
>>found myself in even deeper trouble, but still without a successful 
>>backup.  My next test is to relax targeted policy to permissive so I can 
>>audit the errors for clues.
>>    
>>
>
>Just check for avc denied messages in your logs and report them.
>
>  
>
Strict/enforcing has the amanda policy, but it locked root out of bash 
(not a happy situation) so that's not an option on the remote machines.  
The other edge of the sword is targeted/enforcing is running on a 
firewall; I don't want to drop guard on that one albeit relaxed from 
strict.  I have to resolve backup, monitoring, public services, and 
remote access issues before I unleash this on the firewalls.

Thanks!

-- 
Brad Willson
Sr. Computer Specialist
UW GeneTests, http://www.genetests.org
EM: bwil150n@u.washington.edu
W: 206.221.4674, C: 425.891.2732



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.