-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 11:41 AM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 17:01:26 +0200
> Dominick Grift <domg472@xxxxxxxxx> wrote:
>
>> On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>>>>
>>>>>
>>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>>> point my browser at my local BackupPC server page a get an
>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>
>>>>>>> Raw Audit Messages :
>>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
>>>>>>> avc: denied { write } for pid=31707 comm="perl5.10.0"
>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>>
>>>>>>> node=steve.blackwell type=SYSCALL
>>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
>>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
>>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Now I know I could change the context of that socket file but
>>>>>>> I'm guessing that it gets created every time and so that is
>>>>>>> not a permanent solution. Is there a boolean I need to set;
>>>>>>> nothing looked obvious or perhaps a BackupPC policy I need to
>>>>>>> install?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>
>>>>>> What directory is the socket in?
>>>>>
>>>>> /var/log/BackupPC
>>>>>
>>>>> Steve
>>>>
>>>> The BackupPC package comes with labeling in F12/F13 of
>>>> httpd_sys_content_t.
>>>>
>>>> # matchpathcon /var/log/BackupPC/
>>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>>>
>>>> Execute the following, should fix the problem
>>>>
>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>> '/var/log/BackupPC(/.*)?'
>>>> # restorecon -R -v /var/log/BackupPC
>>>
>>> No luck.
>>>
>>> This did relabel the files in /var/log/BackupPC
>>>
>>> [root@steve ~]# ls -lZ /var/log/BackupPC
>>> -r--r--r--. backuppc backuppc
>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
>>> srwxr-x---. backuppc backuppc
>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>>
>> This pid and sock need to mv to /var/run, i asked backuppc packager
>> to do this long time ago but for some reason not fixed yet
>>
>
> I posted another message to the BackupPC list to try and find that
> status on your request but I didn't get an answer to my first question
> so I'm not holding my breath.
>
> In the meantime, would this work as a temporary workaround?
>
> # semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock
> # semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid
> # restorecon -R -v /var/log/BackupPC
No that is wrong. httpd_sys_content_t is the correct label. httpd_t is
a process label not a file label.
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvXBoQACgkQrlYvE4MpobNenwCfUH27tXgLNEUWHh/Vr3Nr/dtC
orIAn1/qA4TX4pkGKZQhW3jTvdEFK46v
=TR96
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
