On 12/16/2012 07:47 PM, grift wrote:
On Sun, 2012-12-16 at 18:59 +0100, Gabriele Pohl wrote:
> At same time the following AVC-Denial is written:
>
> type=AVC msg=audit(1355679394.218:18): avc: denied { write } for
> pid=9409 comm="BackupPC_Admin." name="BackupPC.sock"
dev="tmpfs"
> ino=3636017 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
> type=SYSCALL msg=audit(1355679394.218:18): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfca7e90 a2=b771bff4 a3=8de4008 items=0
> ppid=9337 pid=9409 auid=4294967295 uid=483 gid=488 euid=483 suid=483
> fsuid=483 egid=488 sgid=488 fsgid=488 tty=(none) ses=4294967295
> comm="BackupPC_Admin." exe="/usr/bin/perl"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> Can you help / explain the issue?
I can speculate as to what the issue is:
The tl;dr is
Basically BackupPC is currently not targeted/supported with SELinux
enforced.
but the package brings a SELinux module with it:
# rpm -qf /usr/share/selinux/packages/BackupPC/BackupPC.pp
BackupPC-3.2.1-7.fc17.i686
The solution would be to work with us to write a security policy for
this service. I would be willing to do the policy writing but i need
someone who knows how BackupPC works and is configured to help test the
policy and provide feedback.
I am willing to help. But I have only a
small and specific use case to test with.
I use rsync via ssh to backup the servers.
I use it here on my Fedora 17 desktop computer
and also on several servers (CentOS 6.3)
there using Epels Package: BackupPC-3.2.1-7.el6.x86_64
SELinux runs in targeted and enforcing mode:
# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
and I have no problem to access the CGI-Interface there.
Now to explain the issue you encounter above:
As said above BackupPC system service is not targeted in the shipped
fedora selinux policy.
ok, I see. They bring their own policy on the system.
The result is that BackupPC runs in the " init script or init
" selinux
domain. This " selinux domain " is " unconfined ". Which means it is
allowed to do anything.
SELinux relies on proper labeling of files and processes.
BackupPC running in the init or init script selinux domain was allowed
to create a socket "BackupPC.sock" in /var/run/somewhere. However, the
socket was created with a generic selinux label. This because of the
properties of the init or init script security policy.
The BackupPC_Admin program that was run by the (targeted) web server or
a web application runs in the httpd selinux domain.
So now the httpd selinux domain is trying to write to a generic sock
file in /var/run (the BackupPC_Admin program wants to talk to BackupPC
via a unix domain stream socket BackupPC.sock) but was denied this
access because web servers are not supposed to write to generic sock
files.
In theory one could allow this event by using audit2allow but then one
will encounter other events. For example; the httpd selinux domain will
also want to connect to backupPC running in the init or init script
domain. It is likely that many other events follow after that.
And then you basically opening up both the httpd selinux domain with
rules that will degrade the httpd selinux domain.
To properly fix it, one would need to create backuppc selinux domains
instead where possible and allow these domain to interact/operate rather
than httpd domain.
Thanks for the detailed explanation!
The backupPC service pretty much needs full access to the file
system
since its main purpose it to back up.
Not in general. The job is done via ssh in my case
and I created a special user for this, to whom I granted
sudo privileges for rsync.
I have , in the past, attempted to write selinux policy for this
service
however there were so many variables when it comes to configuring
backuppc that it was hard to write a cohesive policy for it. and so i
abandoned that project.
I would be willing to have another good look at it and work towards a
solution but only if i get meaningful help in the shape of feedback and
testing. I cannot and do not want to do it on my own.
Thanks for your offer! I will be happy if you like to try with
my feedback. I can also write to the BackupPC mailing lists
and look, whether we find more testers for Red Hat Distributions.
A .te is contained in SPEC-File:
http://pkgs.fedoraproject.org/cgit/BackupPC.git/tree/BackupPC.spec
cat >%{name}.te <<EOF
policy_module(%{name},0.0.5)
require {
type var_log_t;
type httpd_t;
class sock_file write;
type initrc_t;
class unix_stream_socket connectto;
type ssh_exec_t;
type ping_exec_t;
type sendmail_exec_t;
class file getattr;
type var_run_t;
class sock_file getattr;
type httpd_log_t;
class file open;
class dir read;
}
allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t ping_exec_t:file getattr;
allow httpd_t sendmail_exec_t:file getattr;
allow httpd_t ssh_exec_t:file getattr;
allow httpd_t var_run_t:sock_file getattr;
allow httpd_t httpd_log_t:file open;
allow httpd_t httpd_log_t:dir read;
EOF
---------------
And here I found another smaller one here:
http://www.advisorbits.com/2011/03/backuppc_on_centos_5_selinux_fix.html
I hope this will help for a start
and thanks again for your offer to build a consistent BackupPC policy :)
Gabriele