On Mon, 2012-12-17 at 00:05 +0100, Gabriele Pohl wrote: > A .te is contained in SPEC-File: > http://pkgs.fedoraproject.org/cgit/BackupPC.git/tree/BackupPC.spec > > cat >%{name}.te <<EOF > policy_module(%{name},0.0.5) > require { > type var_log_t; > type httpd_t; > class sock_file write; > type initrc_t; > class unix_stream_socket connectto; > type ssh_exec_t; > type ping_exec_t; > type sendmail_exec_t; > class file getattr; > type var_run_t; > class sock_file getattr; > type httpd_log_t; > class file open; > class dir read; > } > > allow httpd_t var_run_t:sock_file write; > allow httpd_t initrc_t:unix_stream_socket connectto; > allow httpd_t ping_exec_t:file getattr; > allow httpd_t sendmail_exec_t:file getattr; > allow httpd_t ssh_exec_t:file getattr; > allow httpd_t var_run_t:sock_file getattr; > allow httpd_t httpd_log_t:file open; > allow httpd_t httpd_log_t:dir read; > EOF This does not look half as bad as i thought it would. I guess you could temporarily implement that as a workaround. Some how the backuppc policy that was packaged with backuppc does not seem to take effect. The maintainer of backuppc package should work ith us to support this package properly -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
