Issue with SELinux and BackupPC backup directory at non-standard location

Dominick Grift dominick.grift at gmail.com
Sat Mar 16 08:55:33 UTC 2013 

On Fri, 2013-03-15 at 16:14 -0700, Jeff Boyce wrote:

> In reviewing my SELinux contexts listed above, I noticed that the group
> assignment for the directories under /bkupdata is root. I have subsequently
> changed them to backuppc, and shutdown the backuppc service, shutdown and
> restarted the http service, then restarted the backuppc service. The same
> errors persist after this change, so the issue was not just with an
> incorrect group setting.
> 
> Here is a representative sample of the SELinux audit messages that are 
> occurring:
> 

The AVC denials all have some things in common:

1. the source type of the operation is httpd_t
2. the target type of the operation is default_t

httpd_t is the webserver process type.

default_t is a special type. This type is assigned to locations unknown
to SELinux.

In this case SELinux is not aware of your exotic "/bkupdata" mountpoint.

Everything on a system is classified using types. That way SELinux knows
if and what access it should grant to any given source.

So what you should do is, you should classify /bkupdata and the content
in there by assigning it an appropriate type.

You should use the existing type for this.

So basically you should look at a existing location that is similar to
your new location and consider using the same type.

There is a command that makes it easy to "clone" file contexts but it
has its limits (you cannot nest them and so use them wisely)

I will give you one very simple example:

lets say that the /bkupdata is really just the same as /var but just in
a exotic location. That would mean that you could clone the file
contexts for /var and use them on /bkupdata as well.

man semanage has an example of how to use the fcontext uquivalent
functionality:

# semanage fcontext -a -e /var /bkupdata
# restorecon -R -v /bkupdata

That will make the contexts of bkupdata equivalent to that of /var

Remember though that you cannot nest them.

Its up to you to find the appropriate types to use. I do not know the
properties of your /bkupdata location.

I can see a backup directory and i also see that httpd_t is trying to
access content on your /bkupdata mountpount.

You may be able to fix this by just using the backupc_var_lib_t ( i am
not even sure if that type exists) type for the whole mountpount:

semanage fcontext -a -t backuppc_var_lib_t "/bkupdata(/.*)?"
restorecon -R -v -F /bkupdata 

> ----
> 
> time->Thu Mar 14 13:35:51 2013
> 
> type=SYSCALL msg=audit(1363293351.295:27283): arch=c000003e syscall=2 
> success=no exit=-13 a0=1437b70 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813 
> pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48 
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin." 
> exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> type=AVC msg=audit(1363293351.295:27283): avc:  denied  { read } for 
> pid=4379 comm="BackupPC_Admin." name="backups" dev=vdd1 ino=4218673 
> scontext=system_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:default_t:s0 tclass=file
> 
> ----
> 
> time->Thu Mar 14 13:35:51 2013
> 
> type=SYSCALL msg=audit(1363293351.292:27282): arch=c000003e syscall=2 
> success=no exit=-13 a0=1437b10 a1=0 a2=1b6 a3=3c1711dbe0 items=0 ppid=1813 
> pid=4379 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48 
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin." 
> exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> type=AVC msg=audit(1363293351.292:27282): avc:  denied  { read } for 
> pid=4379 comm="BackupPC_Admin." name="LOCK" dev=vdd1 ino=4194307 
> scontext=system_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:default_t:s0 tclass=file
> 
> ----
> 
> time->Thu Mar 14 13:36:01 2013
> 
> type=SYSCALL msg=audit(1363293361.526:27285): arch=c000003e syscall=4 
> success=no exit=-13 a0=1630140 a1=1569130 a2=1569130 a3=21 items=0 ppid=1806 
> pid=4400 auid=4294967295 uid=496 gid=48 euid=496 suid=496 fsuid=496 egid=48 
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="BackupPC_Admin." 
> exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> type=AVC msg=audit(1363293361.526:27285): avc:  denied  { getattr } for 
> pid=4400 comm="BackupPC_Admin." path="/bkupdata/pc/jab-opti755/backups" 
> dev=vdd1 ino=4218673 scontext=system_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:default_t:s0 tclass=file
> 
> ----
> 
> 
> I have read through the RedHat SELinux users guide and understand from this 
> and looking at the above messages that my target context is probably not 
> what it should be for this.  I am hoping someone can guide me to get this 
> corrected in a proper way without making a blanket permissive policy.  Also 
> I would like to make sure that if I have to expand my partition again, I 
> don't want to have to go through the same pain of discovering the problem, 
> or have it fixed so that the problem doesn't re-occur.  If any additional 
> information is needed please let me know.
> 
> Please CC me directly on any replies as I am only subscribed to the daily 
> digest.  Thanks.
> 
> Jeff Boyce
> Meridian Environmental
> www.meridianenv.com
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list