On 12/16/2012 07:47 PM, grift wrote:
> On Sun, 2012-12-16 at 18:59 +0100, Gabriele Pohl wrote:
>> At same time the following AVC-Denial is written:
>>
>> type=AVC msg=audit(1355679394.218:18): avc: denied { write } for
>> pid=9409 comm="BackupPC_Admin." name="BackupPC.sock" dev="tmpfs"
>> ino=3636017 scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
>> type=SYSCALL msg=audit(1355679394.218:18): arch=40000003 syscall=102
>> success=no exit=-13 a0=3 a1=bfca7e90 a2=b771bff4 a3=8de4008 items=0
>> ppid=9337 pid=9409 auid=4294967295 uid=483 gid=488 euid=483 suid=483
>> fsuid=483 egid=488 sgid=488 fsgid=488 tty=(none) ses=4294967295
>> comm="BackupPC_Admin." exe="/usr/bin/perl"
>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>
>> Can you help / explain the issue?
>
> I can speculate as to what the issue is:
>
> The tl;dr is
>
> Basically BackupPC is currently not targeted/supported with SELinux
> enforced.
but the package brings a SELinux module with it:
# rpm -qf /usr/share/selinux/packages/BackupPC/BackupPC.pp
BackupPC-3.2.1-7.fc17.i686
> The solution would be to work with us to write a security policy for
> this service. I would be willing to do the policy writing but i need
> someone who knows how BackupPC works and is configured to help test the
> policy and provide feedback.
I am willing to help. But I have only a
small and specific use case to test with.
I use rsync via ssh to backup the servers.
I use it here on my Fedora 17 desktop computer
and also on several servers (CentOS 6.3)
there using Epels Package: BackupPC-3.2.1-7.el6.x86_64
SELinux runs in targeted and enforcing mode:
# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
and I have no problem to access the CGI-Interface there.
>
> Now to explain the issue you encounter above:
>
> As said above BackupPC system service is not targeted in the shipped
> fedora selinux policy.
ok, I see. They bring their own policy on the system.
> The result is that BackupPC runs in the " init script or init " selinux
> domain. This " selinux domain " is " unconfined ". Which means it is
> allowed to do anything.
>
> SELinux relies on proper labeling of files and processes.
>
> BackupPC running in the init or init script selinux domain was allowed
> to create a socket "BackupPC.sock" in /var/run/somewhere. However, the
> socket was created with a generic selinux label. This because of the
> properties of the init or init script security policy.
>
> The BackupPC_Admin program that was run by the (targeted) web server or
> a web application runs in the httpd selinux domain.
>
> So now the httpd selinux domain is trying to write to a generic sock
> file in /var/run (the BackupPC_Admin program wants to talk to BackupPC
> via a unix domain stream socket BackupPC.sock) but was denied this
> access because web servers are not supposed to write to generic sock
> files.
>
> In theory one could allow this event by using audit2allow but then one
> will encounter other events. For example; the httpd selinux domain will
> also want to connect to backupPC running in the init or init script
> domain. It is likely that many other events follow after that.
>
> And then you basically opening up both the httpd selinux domain with
> rules that will degrade the httpd selinux domain.
>
> To properly fix it, one would need to create backuppc selinux domains
> instead where possible and allow these domain to interact/operate rather
> than httpd domain.
Thanks for the detailed explanation!
> The backupPC service pretty much needs full access to the file system
> since its main purpose it to back up.
Not in general. The job is done via ssh in my case
and I created a special user for this, to whom I granted
sudo privileges for rsync.
> I have , in the past, attempted to write selinux policy for this service
> however there were so many variables when it comes to configuring
> backuppc that it was hard to write a cohesive policy for it. and so i
> abandoned that project.
>
> I would be willing to have another good look at it and work towards a
> solution but only if i get meaningful help in the shape of feedback and
> testing. I cannot and do not want to do it on my own.
Thanks for your offer! I will be happy if you like to try with
my feedback. I can also write to the BackupPC mailing lists
and look, whether we find more testers for Red Hat Distributions.
A .te is contained in SPEC-File:
http://pkgs.fedoraproject.org/cgit/BackupPC.git/tree/BackupPC.spec
cat >%{name}.te <<EOF
policy_module(%{name},0.0.5)
require {
type var_log_t;
type httpd_t;
class sock_file write;
type initrc_t;
class unix_stream_socket connectto;
type ssh_exec_t;
type ping_exec_t;
type sendmail_exec_t;
class file getattr;
type var_run_t;
class sock_file getattr;
type httpd_log_t;
class file open;
class dir read;
}
allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t ping_exec_t:file getattr;
allow httpd_t sendmail_exec_t:file getattr;
allow httpd_t ssh_exec_t:file getattr;
allow httpd_t var_run_t:sock_file getattr;
allow httpd_t httpd_log_t:file open;
allow httpd_t httpd_log_t:dir read;
EOF
---------------
And here I found another smaller one here:
http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html
I hope this will help for a start
and thanks again for your offer to build a consistent BackupPC policy :)
Gabriele
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
