SELinux for BackupPC
Daniel J Walsh
dwalsh at redhat.com
Tue Sep 18 16:58:18 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johan Cwiklinski wrote:
> Hi,
>
> I'm currently re-packaging BackupPC[1], a perl backup software server.
>
> As BackupPC need to use, for example, rsync or tar to backup itself,
> wich cause SELinux denies. There also is a CGI interface to manage
> backups/restore and config.
>
> As I'm not at all a SELinux guru, I've used 'audit2allow' to create a
> selinux policy module included in my specfile, but I don't know if this
> is the good way, and even if my policy module should causes issues...
>
> I'd like you to have advices related to SELinux integration in this RPM
> file. I'll put online actual policy file[2], as I use it in the specfile[3]
> I'd also like opinions on the best way to include an SELinux policy for
> this software.
>
> Regards,
> Johan
>
> [1] http://backuppc.sourceforge.net
> [2] http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.te
> [3] http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.spec
>
>
No alot of these rules are not good. Could you attach the audit log you
used to create this.
You probably need a context for this
allow httpd_t etc_t:dir write;
and these
allow httpd_t usr_t:dir { write add_name };
allow httpd_t usr_t:file { write create };
Could be as simple as
chcon -t httpd_sys_content_rw_t PATHTODIR
I take it this is the socket file that BackupPC is creating. I think
you need a policy for this, and then BackupPC could label it
appropriately and allow httpd to communicate with it.
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_log_t:sock_file write;
Not sure what these are either.
allow httpd_t httpd_log_t:sock_file write;
allow httpd_t httpd_sys_content_t:sock_file write;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG8AOqrlYvE4MpobMRAl3UAKDD0uW2lWT9j2Ql3KediEC4g60XfQCeJW54
hQ2ka7VvyEcd2ssc41iVmCM=
=ZwuW
-----END PGP SIGNATURE-----
More information about the devel
mailing list