SELinux issue with BackupPC 3.1.0 on Fedora 6
Tony Molloy
tony.molloy at ul.ie
Wed Jul 30 07:50:26 UTC 2008
On Wednesday 30 July 2008 02:00:18 Aleksey Tsalolikhin wrote:
> Hi. I am trying to get BackupPC working on a Fedora Core 6 server.
>
> I installed BackupPC with "yum install backuppc" and "yum install httpd".
>
> But when I fire up the Web interface, it says
>
> Error: Unable to connect to BackupPC server
>
>
> And I have an SE Linux error message:
>
> avc: denied { write } for pid=5120 comm="perl5.8.8"
> name="BackupPC.sock" dev=dm-0 ino=56393744
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:object_r:var_log_t:s0 tclass=sock_file
>
> If I turn off SE Linux, BackupPC works fine. But per our policy,
> this server must have SE Linux turned on.
>
> How to make this work, please?
>
> Best,
> Aleksey
First you really should upgrade to a supported version of Fedora or to CentOS.
Second I have a very similar problem with BackupPC on CentOS 5.2. I installed
BackupPC from source rather than use the rpm in the CentOS testing repos.
Everything is working fine except for a similar "BackupPC.sock" SELinux
error.
type=AVC msg=audit(1216986223.223:145): avc: denied { write } for pid=7667
comm="httpd" name="BackupPC.sock" dev=sda5 ino=3094722
scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=sock_file
What I did as a temporary workaround was to disable SELinux protection for the
httpd daemon.
I then generated and installed a local policy to allow access.
1. Generate local policy
$ grep http /var/log/audit/audit.log | audit2allow -m myhttp > myhttp.te
2. Compile the module
$ checkmodule -M -m -o local.mod myhttp.te
3. Create the package
$ semodule_package -o myhttp.pp -m local.mod
4 Load the module into the kernel
$ semodule -i myhttp.pp
Now to see if that works ;-)
Seems to. I can now access the GUI with SELinux enabled for the httpd daemon.
Tony.
More information about the users
mailing list