-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 10:57 AM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 08:45:25 -0400
> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>>
>>>
>>>>> I do still have one (so far) problem though. When I tried to point
>>>>> my browser at my local BackupPC server page a get an "Unable to
>>>>> Connect" message and an AVC:
>>>>>
>>>>> Raw Audit Messages :
>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>
>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>> key=(null)
>>>>>
>>>>> Now I know I could change the context of that socket file but I'm
>>>>> guessing that it gets created every time and so that is not a
>>>>> permanent solution. Is there a boolean I need to set; nothing
>>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>>
>>>>> Thanks,
>>>>> Steve
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>> What directory is the socket in?
>>>
>>> /var/log/BackupPC
>>>
>>> Steve
>>
>> The BackupPC package comes with labeling in F12/F13 of
>> httpd_sys_content_t.
>>
>> # matchpathcon /var/log/BackupPC/
>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>
>> Execute the following, should fix the problem
>>
>> # semanage fcontext -a -t httpd_sys_content_t
>> '/var/log/BackupPC(/.*)?'
>> # restorecon -R -v /var/log/BackupPC
>
> No luck.
>
> This did relabel the files in /var/log/BackupPC
>
> [root@steve ~]# ls -lZ /var/log/BackupPC
> -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
> BackupPC.pid
> srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
> BackupPC.sock
> ...
>
> but SELinux still won't let me access the server. I get a slightly
> different but essentially the same AVC as before:
>
> Raw Audit Messages :
>
> node=steve.blackwell type=AVC
> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> So it looks to my untrained eye that we have a process with context
> system_u:system_r:httpd_t:s0
> trying to write to a file that has a context
> system_u:object_r:httpd_sys_content_t:s0
>
> and there is no rule to say that this is OK. Is that about right?
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
You can add the ok rule using audit2allow
# grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
mybackuppc
# semodule -i mybackuppc.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvXA20ACgkQrlYvE4MpobMO0wCgh3AtQVSiZXel4UWc5bXeHo1J
+zsAoM1omGR3Pv3nz8uwpIdTQE38/sGu
=2Y2i
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
