I've got a bug report[1] for BackupPC where the user is having issues with AVC denials when browsing hosts.

This is actually from my COPR but it's the same SRPM I use for Fedora. There are almost 50k downloads and this is the only report of a problem so I don't think there's a fundamental issue with the package but I would still like to help them out.

They are getting AVC denials when browsing hosts which seems to cause BackupPC_Admin to write LOCK files in the subdirectories of /var/lib/BackupPC/. I can find plenty of LOCK files written in my instance of BackupPC on Centos 7 (same as the user) but NO AVC denials for me.

Here's a snippit from the bug:

$ sudo tail -f /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1567181425.724:40002): avc:  denied  { write } for  pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=336086870 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567181425.730:40003): avc:  denied  { write } for  pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=109977609 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

It happens one for every host he backs up so the inodes are different but the error is the same for all.

Currently the selinux policy built into the package doesn't modify /var/lib/BackupPC but in my experience it hasn't needed to.

He's already tried restorecon, changed from a symlink to a bind mount (for the backup root)...

I'm hesitant to modify the the selinux policy when I can reproduce the problem...


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1746598