Issue with SELinux and BackupPC backup directory at non-standard location
Dominick Grift
dominick.grift at gmail.com
Sat Mar 16 08:55:33 UTC 2013
On Fri, 2013-03-15 at 16:14 -0700, Jeff Boyce wrote:
> In reviewing my SELinux contexts listed above, I noticed that the group
> assignment for the directories under /bkupdata is root. I have subsequently
> changed them to backuppc, and shutdown the backuppc service, shutdown and
> restarted the http service, then restarted the backuppc service. The same
> errors persist after this change, so the issue was not just with an
> incorrect group setting.
>
> Here is a representative sample of the SELinux audit messages that are
> occurring:
>
The AVC denials all have some things in common:
1. the source type of the operation is httpd_t
2. the target type of the operation is default_t
httpd_t is the webserver process type.
default_t is a special type. This type is assigned to locations unknown
to SELinux.
In this case SELinux is not aware of your exotic "/bkupdata" mountpoint.
Everything on a system is classified using types. That way SELinux knows
if and what access it should grant to any given source.
So what you should do is, you should classify /bkupdata and the content
in there by assigning it an appropriate type.
You should use the existing type for this.
So basically you should look at a existing location that is similar to
your new location and consider using the same type.
There is a command that makes it easy to "clone" file contexts but it
has its limits (you cannot nest them and so use them wisely)
I will give you one very simple example:
lets say that the /bkupdata is really just the same as /var but just in
a exotic location. That would mean that you could clone the file
contexts for /var and use them on /bkupdata as well.
man semanage has an example of how to use the fcontext uquivalent
functionality:
# semanage fcontext -a -e /var /bkupdata
# restorecon -R -v /bkupdata
That will make the contexts of bkupdata equivalent to that of /var
Remember though that you cannot nest them.
Its up to you to find the appropriate types to use. I do not know the
properties of your /bkupdata location.
I can see a backup directory and i also see that httpd_t is trying to
access content on your /bkupdata mountpount.
You may be able to fix this by just using the backupc_var_lib_t ( i am
not even sure if that type exists) type for the whole mountpount:
semanage fcontext -a -t backuppc_var_lib_t "/bkupdata(/.*)?"
restorecon -R -v -F /bkupdata
> ----
>
> time->Thu Mar 14 13:35:51 2013
>
> type=SYSCALL msg=audit(1363293351.295:27283): arch=c000003e syscall=2
> success=no exit=-13 a0=1437b70 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813
> pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin."
> exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
>
> type=AVC msg=audit(1363293351.295:27283): avc: denied { read } for
> pid=4379 comm="BackupPC_Admin." name="backups" dev=vdd1 ino=4218673
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
>
> ----
>
> time->Thu Mar 14 13:35:51 2013
>
> type=SYSCALL msg=audit(1363293351.292:27282): arch=c000003e syscall=2
> success=no exit=-13 a0=1437b10 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813
> pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin."
> exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
>
> type=AVC msg=audit(1363293351.292:27282): avc: denied { read } for
> pid=4379 comm="BackupPC_Admin." name="LOCK" dev=vdd1 ino=4194307
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
>
> ----
>
> time->Thu Mar 14 13:36:01 2013
>
> type=SYSCALL msg=audit(1363293361.526:27285): arch=c000003e syscall=4
> success=no exit=-13 a0=1630140 a1=1569130 a2=1569130 a3=21 items=0 ppid=1806
> pid=4400 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin."
> exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
>
> type=AVC msg=audit(1363293361.526:27285): avc: denied { getattr } for
> pid=4400 comm="BackupPC_Admin." path="/bkupdata/pc/jab-opti755/backups"
> dev=vdd1 ino=4218673 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
>
> ----
>
>
> I have read through the RedHat SELinux users guide and understand from this
> and looking at the above messages that my target context is probably not
> what it should be for this. I am hoping someone can guide me to get this
> corrected in a proper way without making a blanket permissive policy. Also
> I would like to make sure that if I have to expand my partition again, I
> don't want to have to go through the same pain of discovering the problem,
> or have it fixed so that the problem doesn't re-occur. If any additional
> information is needed please let me know.
>
> Please CC me directly on any replies as I am only subscribed to the daily
> digest. Thanks.
>
> Jeff Boyce
> Meridian Environmental
> www.meridianenv.com
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list