-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/27/2010 12:18 PM, Steve Blackwell wrote: > On Tue, 27 Apr 2010 11:31:57 -0400 > Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 04/27/2010 10:57 AM, Steve Blackwell wrote: >>> On Tue, 27 Apr 2010 08:45:25 -0400 >>> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote: >>>>> On Mon, 26 Apr 2010 11:11:00 -0400 >>>>> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >>>>> >>>>> >>>>>>> I do still have one (so far) problem though. When I tried to >>>>>>> point my browser at my local BackupPC server page a get an >>>>>>> "Unable to Connect" message and an AVC: >>>>>>> >>>>>>> Raw Audit Messages : >>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc: >>>>>>> denied { write } for pid=31707 comm="perl5.10.0" >>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file >>>>>>> >>>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138): >>>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0 >>>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295 >>>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 >>>>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0" >>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 >>>>>>> key=(null) >>>>>>> >>>>>>> Now I know I could change the context of that socket file but >>>>>>> I'm guessing that it gets created every time and so that is not >>>>>>> a permanent solution. Is there a boolean I need to set; nothing >>>>>>> looked obvious or perhaps a BackupPC policy I need to install? >>>>>>> >>>>>>> Thanks, >>>>>>> Steve >>>>>>> -- >>>>>>> selinux mailing list >>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>> >>>>>>> >>>>>> What directory is the socket in? >>>>> >>>>> /var/log/BackupPC >>>>> >>>>> Steve >>>> >>>> The BackupPC package comes with labeling in F12/F13 of >>>> httpd_sys_content_t. >>>> >>>> # matchpathcon /var/log/BackupPC/ >>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0 >>>> >>>> Execute the following, should fix the problem >>>> >>>> # semanage fcontext -a -t httpd_sys_content_t >>>> '/var/log/BackupPC(/.*)?' >>>> # restorecon -R -v /var/log/BackupPC >>> >>> No luck. >>> >>> This did relabel the files in /var/log/BackupPC >>> >>> [root@steve ~]# ls -lZ /var/log/BackupPC >>> -r--r--r--. backuppc backuppc >>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid >>> srwxr-x---. backuppc backuppc >>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock >>> ... >>> >>> but SELinux still won't let me access the server. I get a slightly >>> different but essentially the same AVC as before: >>> >>> Raw Audit Messages : >>> >>> node=steve.blackwell type=AVC >>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612 >>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496 >>> scontext=system_u:system_r:httpd_t:s0 >>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file >>> >>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319): >>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390 >>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 >>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 >>> tty=(none) ses=4294967295 comm="perl5.10.0" >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0 >>> key=(null) >>> >>> So it looks to my untrained eye that we have a process with context >>> system_u:system_r:httpd_t:s0 >>> trying to write to a file that has a context >>> system_u:object_r:httpd_sys_content_t:s0 >>> >>> and there is no rule to say that this is OK. Is that about right? >>> >>> Thanks, >>> Steve >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> You can add the ok rule using audit2allow >> >> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M >> mybackuppc >> # semodule -i mybackuppc.pp > > OK, a little progress. Now I am getting a socket connect denial. > Will repeating the audit2allow process to correct this? > > Thanks, > Steve yes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvXHBUACgkQrlYvE4MpobM04gCg4cunuKobL/5XAhhyS+UVRn+f El4AnRpyJ2jjHqYozA6Q/XaJg99uTEqI =UocO -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux