SELinux vs BackupPC web interface
George Avrunin
avrunin at math.umass.edu
Fri Nov 16 02:13:19 UTC 2007
I have BackupPC-3.0.0-3.fc8 installed on a fully updated Fedora 8
machine (clean install, not an upgrade). I have put the BackupPC_Admin
script (the web interface) in /var/www/cgi-bin/BackupPC/, which is
where I had it in a non-rpm installation under FC 6, which is what I
had on this machine before F8.
By fiddling with booleans, I had gotten the web interface to run fine under
FC6. But now I have to set selinux to permissive to use the web
interface. I get the following sort of thing in sealert:
Summary
SELinux is preventing /usr/bin/sperl5.8.8 (httpd_sys_script_t)
"setuid" to (httpd_sys_script_t).
Detailed Description
SELinux denied access requested by /usr/bin/sperl5.8.8. It is not
expected that this access is required by /usr/bin/sperl5.8.8 and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.
Additional Information
Source Context: system_u:system_r:httpd_sys_script_t:s0
Target Context: system_u:system_r:httpd_sys_script_t:s0
Target Objects: None [ capability ]
Affected RPM Packages: perl-suidperl-5.8.8-31.fc8 [application]
Policy RPM: selinux-policy-3.0.8-47.fc8
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: plugins.catchall
Host Name: g2
Platform: Linux g2 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007
i686 i686
Alert Count: 15
First Seen: Sun 11 Nov 2007 12:18:32 PM EST
Last Seen: Thu 15 Nov 2007 08:50:48 PM EST
Local ID: 3601b195-d0fb-4477-b969-c6f87a3a5fc9
Line Numbers:
Raw Audit Messages :
avc: denied { setuid } for comm=sperl5.8.8 egid=48 euid=493
exe=/usr/bin/sperl5.8.8 exit=0 fsgid=48 fsuid=493 gid=48 items=0
pid=3645 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=48
subj=system_u:system_r:httpd_sys_script_t:s0 suid=0 tclass=capability
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
For now, I'm working around it by setting selinux to permissive while
I use the web interface, and then setting it back to enforcing. But
I'd rather sort out why it's not working--I've probably missed some
obvious configuration setting. I would be grateful for any
suggestions for straightening this out.
Thanks,
George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20071115/f195af6b/attachment-0001.bin
More information about the users
mailing list