On Mon, Apr 26, 2010 at 09:47:31AM -0400, Steve Blackwell wrote:
> On Mon, 26 Apr 2010 09:27:34 +0200
> Dominick Grift <domg472@xxxxxxxxx> wrote:
>
>
> > > > > [root@steve ~]# fixfiles
> > > > > restore ********************/sbin/setfiles: unable to stat
> > > > > file /home/steve/.gvfs: Permission denied
> > > > > /sbin/setfiles: error while labeling /: Permission
> > > > > denied
> > > > > /sbin/setfiles: error while labeling /boot: Permission
> > > > > denied
> > > > > /sbin/setfiles: error while
> > > > > labeling /media/blah-blah: Permission denied
> > > >
> > > > in /etc/selinux/config set "SELINUX=permissive"
> > > >
> > > > then do: touch /.autorelabel && reboot
> > > >
> > >
> > > OK, I did that and I still get these messages in /var/log/dmesg:
> >
> > If relabeling succeeded these issues should be fixed now.
> > You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"
> >
> > if the type returned is mysqld_initrc_exec_t, then its fixed
> > if the type returned is unlabeled_t, then something went wrong.
>
> The type is mysqld_initrc_exec_t so it must be fixed.
> Things have definitely improved. I'm not getting streams of AVCs any
> more when I open the sevices GUI. Thnk you, Dominick!
>
> I do still have one (so far) problem though. When I tried to point my
> browser at my local BackupPC server page a get an "Unable to Connect"
> message and an AVC:
Yes selinux is still not playing nice with backuppc. I think the rpm of
backuppc includes a selinux policy
but i am not sure if that is installed by default.
I do know that this policy needs a lot of work, and in fact some time
ago i started creating a new policy for backuppc.
But i stumbled upon some packaging issues that i wanted resolved first
before i went ahead and complete the policy.
I never got to that point but i will consider revisiting backuppc policy.
I do still have my attempt for write policy for backuppc here:
git clone git://217.19.27.98/selinux-modules.git
But as said, it is incomplete.
>
> Raw Audit Messages :
> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: denied
> { write } for pid=31707 comm="perl5.10.0" name="BackupPC.sock" dev=dm-0
> ino=36667496 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> Now I know I could change the context of that socket file but I'm
> guessing that it gets created every time and so that is not a permanent
> solution. Is there a boolean I need to set; nothing looked obvious or
> perhaps a BackupPC policy I need to install?
>
> Thanks,
> Steve
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
