FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-30-2008, 01:00 AM
"Aleksey Tsalolikhin"
 
Default SELinux issue with BackupPC 3.1.0 on Fedora 6

Hi. I am trying to get BackupPC working on a Fedora Core 6 server.

I installed BackupPC with "yum install backuppc" and "yum install httpd".

But when I fire up the Web interface, it says

Error: Unable to connect to BackupPC server


And I have an SE Linux error message:

avc: denied { write } for pid=5120 comm="perl5.8.8"
name="BackupPC.sock" dev=dm-0 ino=56393744
scontext=user_u:system_r:httpd_t:s0
tcontext=user_ubject_r:var_log_t:s0 tclass=sock_file

If I turn off SE Linux, BackupPC works fine. But per our policy,
this server must have SE Linux turned on.

How to make this work, please?

Best,
Aleksey

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 02:21 AM
Todd Zullinger
 
Default SELinux issue with BackupPC 3.1.0 on Fedora 6

Aleksey Tsalolikhin wrote:
> If I turn off SE Linux, BackupPC works fine. But per our policy,
> this server must have SE Linux turned on.

What's the point of a policy that requires SELinux to be enabled yet
allows a server to run an OS release that stopped receiving any
updates well over a year ago?

> How to make this work, please?

You could look at audit2why and audit2allow, as well as the SELinux
policy for RHEL/CentOS (though I don't know if BackupPC is handled in
that policy or not).

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
It is OK to let your mind go blank, but please turn off the sound.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 05:10 AM
Kevin Kofler
 
Default SELinux issue with BackupPC 3.1.0 on Fedora 6

Aleksey Tsalolikhin <atsaloli.tech <at> gmail.com> writes:
> Hi. I am trying to get BackupPC working on a Fedora Core 6 server.

FC6 is no longer supported. Upgrade the f***ing server NOW! Don't rely on
SELinux alone for security.

Kevin Kofler

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 07:50 AM
Tony Molloy
 
Default SELinux issue with BackupPC 3.1.0 on Fedora 6

On Wednesday 30 July 2008 02:00:18 Aleksey Tsalolikhin wrote:
> Hi. I am trying to get BackupPC working on a Fedora Core 6 server.
>
> I installed BackupPC with "yum install backuppc" and "yum install httpd".
>
> But when I fire up the Web interface, it says
>
> Error: Unable to connect to BackupPC server
>
>
> And I have an SE Linux error message:
>
> avc: denied { write } for pid=5120 comm="perl5.8.8"
> name="BackupPC.sock" dev=dm-0 ino=56393744
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_ubject_r:var_log_t:s0 tclass=sock_file
>
> If I turn off SE Linux, BackupPC works fine. But per our policy,
> this server must have SE Linux turned on.
>
> How to make this work, please?
>
> Best,
> Aleksey

First you really should upgrade to a supported version of Fedora or to CentOS.

Second I have a very similar problem with BackupPC on CentOS 5.2. I installed
BackupPC from source rather than use the rpm in the CentOS testing repos.
Everything is working fine except for a similar "BackupPC.sock" SELinux
error.


type=AVC msg=audit(1216986223.223:145): avc: denied { write } for pid=7667
comm="httpd" name="BackupPC.sock" dev=sda5 ino=3094722
scontext=root:system_r:httpd_t:s0
tcontext=rootbject_r:httpd_sys_content_t:s0 tclass=sock_file

What I did as a temporary workaround was to disable SELinux protection for the
httpd daemon.

I then generated and installed a local policy to allow access.

1. Generate local policy

$ grep http /var/log/audit/audit.log | audit2allow -m myhttp > myhttp.te

2. Compile the module
$ checkmodule -M -m -o local.mod myhttp.te

3. Create the package
$ semodule_package -o myhttp.pp -m local.mod

4 Load the module into the kernel
$ semodule -i myhttp.pp


Now to see if that works ;-)

Seems to. I can now access the GUI with SELinux enabled for the httpd daemon.

Tony.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-30-2008, 05:02 PM
"Aleksey Tsalolikhin"
 
Default SELinux issue with BackupPC 3.1.0 on Fedora 6

Thanks for your kind replies. I'll upgrade the server's distro as priority #1.

Thanks, Tony, for posting the SE Linux troubleshooting / remediation.
I'm new to SE Linux and this was helpful.

Best,
Aleksey

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 07:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org