Help with messed up F11 SELinux

Tue Apr 27 15:01:26 UTC 2010

On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 08:45:25 -0400
> Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> > > On Mon, 26 Apr 2010 11:11:00 -0400
> > > Daniel J Walsh <dwalsh at redhat.com> wrote:
> > > 
> > > 
> > >>> I do still have one (so far) problem though. When I tried to point
> > >>> my browser at my local BackupPC server page a get an "Unable to
> > >>> Connect" message and an AVC:
> > >>>
> > >>> Raw Audit Messages :
> > >>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> > >>> denied { write } for pid=31707 comm="perl5.10.0"
> > >>> name="BackupPC.sock" dev=dm-0 ino=36667496
> > >>> scontext=system_u:system_r:httpd_t:s0
> > >>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
> > >>>
> > >>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> > >>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> > >>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> > >>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> > >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > >>> key=(null)
> > >>>
> > >>> Now I know I could change the context of that socket file but I'm
> > >>> guessing that it gets created every time and so that is not a
> > >>> permanent solution. Is there a boolean I need to set; nothing
> > >>> looked obvious or perhaps a BackupPC policy I need to install?
> > >>>
> > >>> Thanks,
> > >>> Steve
> > >>> --
> > >>> selinux mailing list
> > >>> selinux at lists.fedoraproject.org
> > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>
> > >>>
> > >> What directory is the socket in?
> > > 
> > > /var/log/BackupPC
> > > 
> > > Steve
> > 
> > The BackupPC package comes with labeling in F12/F13 of
> > httpd_sys_content_t.
> > 
> > # matchpathcon /var/log/BackupPC/
> > /var/log/BackupPC	system_u:object_r:httpd_sys_content_t:s0
> > 
> > Execute the following, should fix the problem
> > 
> > # semanage fcontext -a -t httpd_sys_content_t
> > '/var/log/BackupPC(/.*)?' 
> > # restorecon -R -v /var/log/BackupPC
> 
> No luck.
> 
> This did relabel the files in /var/log/BackupPC
> 
> [root at steve ~]# ls -lZ /var/log/BackupPC
> -r--r--r--. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
> BackupPC.pid 
> srwxr-x---. backuppc backuppc system_u:object_r:httpd_sys_content_t:s0
> BackupPC.sock

This pid and sock need to mv to /var/run, i asked backuppc packager to do this long time ago but for some reason not fixed yet

> ...
> 
> but SELinux still won't let me access the server. I get a slightly
> different but essentially the same AVC as before:
> 
> Raw Audit Messages :
> 
> node=steve.blackwell type=AVC
> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
> 
> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null) 
> 
> So it looks to my untrained eye that we have a process with context
> system_u:system_r:httpd_t:s0 
> trying to write to a file that has a context
> system_u:object_r:httpd_sys_content_t:s0
> 
> and there is no rule to say that this is OK. Is that about right?
> 
> Thanks,
> Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100427/4b396747/attachment.bin