On Tue, 27 Apr 2010 17:01:26 +0200
Dominick Grift <domg472@xxxxxxxxx> wrote:
> On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
> > On Tue, 27 Apr 2010 08:45:25 -0400
> > Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> > > > On Mon, 26 Apr 2010 11:11:00 -0400
> > > > Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > > >
> > > >
> > > >>> I do still have one (so far) problem though. When I tried to
> > > >>> point my browser at my local BackupPC server page a get an
> > > >>> "Unable to Connect" message and an AVC:
> > > >>>
> > > >>> Raw Audit Messages :
> > > >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
> > > >>> avc: denied { write } for pid=31707 comm="perl5.10.0"
> > > >>> name="BackupPC.sock" dev=dm-0 ino=36667496
> > > >>> scontext=system_u:system_r:httpd_t:s0
> > > >>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
> > > >>>
> > > >>> node=steve.blackwell type=SYSCALL
> > > >>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
> > > >>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
> > > >>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
> > > >>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > > >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> > > >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > > >>> key=(null)
> > > >>>
> > > >>> Now I know I could change the context of that socket file but
> > > >>> I'm guessing that it gets created every time and so that is
> > > >>> not a permanent solution. Is there a boolean I need to set;
> > > >>> nothing looked obvious or perhaps a BackupPC policy I need to
> > > >>> install?
> > > >>>
> > > >>> Thanks,
> > > >>> Steve
> > > >>> --
> > > >>> selinux mailing list
> > > >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > >>>
> > > >>>
> > > >> What directory is the socket in?
> > > >
> > > > /var/log/BackupPC
> > > >
> > > > Steve
> > >
> > > The BackupPC package comes with labeling in F12/F13 of
> > > httpd_sys_content_t.
> > >
> > > # matchpathcon /var/log/BackupPC/
> > > /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
> > >
> > > Execute the following, should fix the problem
> > >
> > > # semanage fcontext -a -t httpd_sys_content_t
> > > '/var/log/BackupPC(/.*)?'
> > > # restorecon -R -v /var/log/BackupPC
> >
> > No luck.
> >
> > This did relabel the files in /var/log/BackupPC
> >
> > [root@steve ~]# ls -lZ /var/log/BackupPC
> > -r--r--r--. backuppc backuppc
> > system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
> > srwxr-x---. backuppc backuppc
> > system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>
> This pid and sock need to mv to /var/run, i asked backuppc packager
> to do this long time ago but for some reason not fixed yet
>
I posted another message to the BackupPC list to try and find that
status on your request but I didn't get an answer to my first question
so I'm not holding my breath.
In the meantime, would this work as a temporary workaround?
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock
# semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid
# restorecon -R -v /var/log/BackupPC
Thanks,
Steve
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
