-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 12:18 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 11:31:57 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>> On Tue, 27 Apr 2010 08:45:25 -0400
>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>
>>>>
>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>> point my browser at my local BackupPC server page a get an
>>>>>> "Unable to Connect" message and an AVC:
>>>>>>
>>>>>> Raw Audit Messages :
>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>
>>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48
>>>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
>>>>>> key=(null)
>>>>>>
>>>>>> Now I know I could change the context of that socket file but
>>>>>> I'm guessing that it gets created every time and so that is
not
>>>>>> a permanent solution. Is there a boolean I need to set; nothing
>>>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>>>
>>>>>> Thanks,
>>>>>> Steve
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux(a)lists.fedoraproject.org
>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>> What directory is the socket in?
>>>>
>>>> /var/log/BackupPC
>>>>
>>>> Steve
>>>
>>> The BackupPC package comes with labeling in F12/F13 of
>>> httpd_sys_content_t.
>>>
>>> # matchpathcon /var/log/BackupPC/
>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>>
>>> Execute the following, should fix the problem
>>>
>>> # semanage fcontext -a -t httpd_sys_content_t
>>> '/var/log/BackupPC(/.*)?'
>>> # restorecon -R -v /var/log/BackupPC
>>
>> No luck.
>>
>> This did relabel the files in /var/log/BackupPC
>>
>> [root@steve ~]# ls -lZ /var/log/BackupPC
>> -r--r--r--. backuppc backuppc
>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
>> srwxr-x---. backuppc backuppc
>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>> ...
>>
>> but SELinux still won't let me access the server. I get a slightly
>> different but essentially the same AVC as before:
>>
>> Raw Audit Messages :
>>
>> node=steve.blackwell type=AVC
>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>>
>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=4294967295 comm="perl5.10.0"
>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>> key=(null)
>>
>> So it looks to my untrained eye that we have a process with context
>> system_u:system_r:httpd_t:s0
>> trying to write to a file that has a context
>> system_u:object_r:httpd_sys_content_t:s0
>>
>> and there is no rule to say that this is OK. Is that about right?
>>
>> Thanks,
>> Steve
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> You can add the ok rule using audit2allow
>
> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
> mybackuppc
> # semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial.
Will repeating the audit2allow process to correct this?
Thanks,
Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkvXHBUACgkQrlYvE4MpobM04gCg4cunuKobL/5XAhhyS+UVRn+f
El4AnRpyJ2jjHqYozA6Q/XaJg99uTEqI
=UocO
-----END PGP SIGNATURE-----