-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/27/2010 02:16 PM, Steve Blackwell wrote:
On Tue, 27 Apr 2010 13:17:09 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/27/2010 12:18 PM, Steve Blackwell wrote:
>> On Tue, 27 Apr 2010 11:31:57 -0400
>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>>> Daniel J Walsh <dwalsh(a)redhat.com> wrote:
>>>>>>
>>>>>>
>>>>>>>> I do still have one (so far) problem though. When I tried
to
>>>>>>>> point my browser at my local BackupPC server page a get
an
>>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>>
>>>>>>>> Raw Audit Messages :
>>>>>>>> node=steve.blackwell type=AVC
msg=audit(1272289200.98:138):
>>>>>>>> avc: denied { write } for pid=31707
comm="perl5.10.0"
>>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>>>
>>>>>>>> node=steve.blackwell type=SYSCALL
>>>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac
a3=9317008
>>>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48
gid=48
>>>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>>> exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0
>>>>>>>> key=(null)
>>>>>>>>
>>>>>>>> Now I know I could change the context of that socket file
but
>>>>>>>> I'm guessing that it gets created every time and so
that is
>>>>>>>> not a permanent solution. Is there a boolean I need to
set;
>>>>>>>> nothing looked obvious or perhaps a BackupPC policy I
need to
>>>>>>>> install?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Steve
>>>>>>>> --
>>>>>>>> selinux mailing list
>>>>>>>> selinux(a)lists.fedoraproject.org
>>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>
>>>>>>>>
>>>>>>> What directory is the socket in?
>>>>>>
>>>>>> /var/log/BackupPC
>>>>>>
>>>>>> Steve
>>>>>
>>>>> The BackupPC package comes with labeling in F12/F13 of
>>>>> httpd_sys_content_t.
>>>>>
>>>>> # matchpathcon /var/log/BackupPC/
>>>>> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
>>>>>
>>>>> Execute the following, should fix the problem
>>>>>
>>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>>> '/var/log/BackupPC(/.*)?'
>>>>> # restorecon -R -v /var/log/BackupPC
>>>>
>>>> No luck.
>>>>
>>>> This did relabel the files in /var/log/BackupPC
>>>>
>>>> [root@steve ~]# ls -lZ /var/log/BackupPC
>>>> -r--r--r--. backuppc backuppc
>>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
>>>> srwxr-x---. backuppc backuppc
>>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>>>> ...
>>>>
>>>> but SELinux still won't let me access the server. I get a slightly
>>>> different but essentially the same AVC as before:
>>>>
>>>> Raw Audit Messages :
>>>>
>>>> node=steve.blackwell type=AVC
>>>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>>>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0
ino=36667496
>>>> scontext=system_u:system_r:httpd_t:s0
>>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>>>>
>>>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>>>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>> key=(null)
>>>>
>>>> So it looks to my untrained eye that we have a process with
>>>> context system_u:system_r:httpd_t:s0
>>>> trying to write to a file that has a context
>>>> system_u:object_r:httpd_sys_content_t:s0
>>>>
>>>> and there is no rule to say that this is OK. Is that about right?
>>>>
>>>> Thanks,
>>>> Steve
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> You can add the ok rule using audit2allow
>>>
>>> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow
>>> -M mybackuppc
>>> # semodule -i mybackuppc.pp
>>
>> OK, a little progress. Now I am getting a socket connect denial.
>> Will repeating the audit2allow process to correct this?
>>
>> Thanks,
>> Steve
> yes
I wasn't sure if running audit2allow a second time would add to
mybackuppc.pp or replace it so I ran
# grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M
mybackuppc.pp
# semodule -i mybackuppc.pp
I also noticed a boolean called httpd_can_network_connect. This would
have worked too, correct?
Now I can connect to the server but I get a different AVC:
Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied
{ read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0
ino=32931842
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)
disk is a link to an external USB drive where I keep the backups
[root@steve ~]# ls -lZ /media
drwxr-xr-x. root root system_u:object_r:mnt_t:s0
<the USB disk UUID>
lrwxrwxrwx. root root system_u:object_r:mnt_t:s0 disk ->
<the USB disk UUID>
So do I need to relabel the disk httpd_sys_content_t next?
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
You could use something like
mount -o context="system_u:object_r:httpd_sys_content_t:s0"
Which will tell mount to mount your disk with this label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkvYcB4ACgkQrlYvE4MpobN4aQCg1OldKQ27BBTQ4yoqFax+xvTY
jLQAoJzcJsmJPDLpo2E0aGGj1KZRSFSl
=oFHJ
-----END PGP SIGNATURE-----