BackupPC
grift
dominick.grift at gmail.com
Mon Dec 17 08:33:45 UTC 2012
On Mon, 2012-12-17 at 00:05 +0100, Gabriele Pohl wrote:
> A .te is contained in SPEC-File:
> http://pkgs.fedoraproject.org/cgit/BackupPC.git/tree/BackupPC.spec
>
> cat >%{name}.te <<EOF
> policy_module(%{name},0.0.5)
> require {
> type var_log_t;
> type httpd_t;
> class sock_file write;
> type initrc_t;
> class unix_stream_socket connectto;
> type ssh_exec_t;
> type ping_exec_t;
> type sendmail_exec_t;
> class file getattr;
> type var_run_t;
> class sock_file getattr;
> type httpd_log_t;
> class file open;
> class dir read;
> }
>
> allow httpd_t var_run_t:sock_file write;
> allow httpd_t initrc_t:unix_stream_socket connectto;
> allow httpd_t ping_exec_t:file getattr;
> allow httpd_t sendmail_exec_t:file getattr;
> allow httpd_t ssh_exec_t:file getattr;
> allow httpd_t var_run_t:sock_file getattr;
> allow httpd_t httpd_log_t:file open;
> allow httpd_t httpd_log_t:dir read;
> EOF
This does not look half as bad as i thought it would.
I guess you could temporarily implement that as a workaround.
Some how the backuppc policy that was packaged with backuppc does not
seem to take effect. The maintainer of backuppc package should work ith
us to support this package properly
More information about the selinux
mailing list