On Sun, 2012-12-16 at 18:59 +0100, Gabriele Pohl wrote:
> Hi all,
>
> I reinstalled BackupPC BackupPC-3.2.1-7.fc17.i686
> on my Fedora 17 machine.
>
> (Reason is, that I have a new backup disk,
> which is mounted in /var/lib/BackupPC and
> I wanted the installation to create the directories
> there and set the appropriate SELinux privileges..)
>
> httpd runs under user backuppc on this host.
> backuppc service is started.
>
> When I call the CGI-Interface I see the
> following message on screen:
>
> -------------- snip --------------
> Error: Unable to connect to BackupPC server
>
> This CGI script (/backuppc) is unable to connect to the BackupPC server
> on localhost port -1.
> The error was: unix connect: Permission denied.
> Perhaps the BackupPC server is not running or there is a configuration
> error. Please report this to your Sys Admin.
> -------------- snip --------------
>
> At same time the following AVC-Denial is written:
>
> type=AVC msg=audit(1355679394.218:18): avc: denied { write } for
> pid=9409 comm="BackupPC_Admin." name="BackupPC.sock" dev="tmpfs"
> ino=3636017 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
> type=SYSCALL msg=audit(1355679394.218:18): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfca7e90 a2=b771bff4 a3=8de4008 items=0
> ppid=9337 pid=9409 auid=4294967295 uid=483 gid=488 euid=483 suid=483
> fsuid=483 egid=488 sgid=488 fsgid=488 tty=(none) ses=4294967295
> comm="BackupPC_Admin." exe="/usr/bin/perl"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> I tried to add an appropriate rule following the
> instructions from sealert:
>
> # grep BackupPC_Admin. /var/log/audit/audit.log | audit2allow -M mypol
>
> # semodule -i mypol.pp
> libsepol.scope_copy_callback: entropyd: Duplicate declaration in module:
> type/attribute entropyd_var_run_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule: Failed!
>
> Can you help / explain the issue?
I can speculate as to what the issue is:
The tl;dr is
Basically BackupPC is currently not targeted/supported with SELinux
enforced.
The solution would be to work with us to write a security policy for
this service. I would be willing to do the policy writing but i need
someone who knows how BackupPC works and is configured to help test the
policy and provide feedback.
Now to explain the issue you encounter above:
As said above BackupPC system service is not targeted in the shipped
fedora selinux policy.
The result is that BackupPC runs in the " init script or init " selinux
domain. This " selinux domain " is " unconfined ". Which means it is
allowed to do anything.
SELinux relies on proper labeling of files and processes.
BackupPC running in the init or init script selinux domain was allowed
to create a socket "BackupPC.sock" in /var/run/somewhere. However, the
socket was created with a generic selinux label. This because of the
properties of the init or init script security policy.
The BackupPC_Admin program that was run by the (targeted) web server or
a web application runs in the httpd selinux domain.
So now the httpd selinux domain is trying to write to a generic sock
file in /var/run (the BackupPC_Admin program wants to talk to BackupPC
via a unix domain stream socket BackupPC.sock) but was denied this
access because web servers are not supposed to write to generic sock
files.
In theory one could allow this event by using audit2allow but then one
will encounter other events. For example; the httpd selinux domain will
also want to connect to backupPC running in the init or init script
domain. It is likely that many other events follow after that.
And then you basically opening up both the httpd selinux domain with
rules that will degrade the httpd selinux domain.
To properly fix it, one would need to create backuppc selinux domains
instead where possible and allow these domain to interact/operate rather
than httpd domain.
The backupPC service pretty much needs full access to the file system
since its main purpose it to back up.
I have , in the past, attempted to write selinux policy for this service
however there were so many variables when it comes to configuring
backuppc that it was hard to write a cohesive policy for it. and so i
abandoned that project.
I would be willing to have another good look at it and work towards a
solution but only if i get meaningful help in the shape of feedback and
testing. I cannot and do not want to do it on my own.
>
> Thanks in advance and kind regards
>
> Gabriele
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
