On Tue, 27 Apr 2010 18:23:03 +0200 Johan Cwiklinski <maili...@x-tnd.be> wrote:
> Hello, > > Le 27/04/2010 17:33, Steve Blackwell a écrit : > > On Mon, 26 Apr 2010 13:02:58 -0400 > > Steve Blackwell <zep...@cfl.rr.com> wrote: > > > > > >> I'm getting a SELinux AVC when trying to connect to my BackupPC > >> server. > >> > >> I found this bug https://bugzilla.redhat.com/show_bug.cgi?id=512035 > >> and in comment 14 it says it was fixed in BackupPC-3.1.0-6.fc11 > >> whereas I am running: > >> > >> # rpm -qa | grep BackupPC > >> BackupPC-3.1.0-9.fc11.noarch > >> > >> and I am still seeing the issue. > >> The SELinux list suggested that the BackupPC policy might not be > >> installed by default. > >> > >> Can anyone tell the the current status of this problem? Fixed? > >> Fixed but re-occured? Policy installed by default or no? > >> > > I haven't had an answer to this yet but the folks on the SELinux > > list gave me some instructions on how to fix it. Unfortunately, it > > did not fix the problem because according to them the .pid file and > > the .sock file need to be in the /var/run directory and not > > in /var/log. Also according to the SELinux folks they requested a > > long time ago that the BackupPC package maintainer correct this but > > it has not been done. > > > > So, a couple of questions: > > > > 1) Who is the Fedora package maintainer for BackupPC? > > > > I am. Hi! > > 2) Is there some reason or objection to making the changes as > > requested by SELinux? > > > > They do not just ask me to change the pid and lock file ; but also to > change the binary dir for example, and that is a very huge change in > the backuppc code I do not know at all (I'm just a packager, not a > perl dev). Additionnaly, I do not have time to do that for now. > > > 3) Are there any plans to fix the original problem in F11? > > > > When I used F-11, I had no problems. I've tested under a VM when the > bug was reported, that worked for me. I can "quickly" fix PID file > and LOCK file locations (I did not do that already because it was not > enought having official selinux rules for the daemon according to > SELinux team). That may solve your issue, I really do not know, let > me know on the BZ. BZ=bugzilla? I had alway run SELinux in permissive mode because of the problems I was having. After talking with the SELinux folks and reinstalling the targeted policy, I am now running in enforcing mode but I'm experiencing these issues. > By the way, I'm using backuppc with SELinux enabled under F-12 with > exactly the same SELinux rules and files location ; and I do not have > any problems so far. > > Basically, just run "restorecon -R -v /var/log/BackupPC" should does > the trick ; files under that directory should be labelled > "system_u:object_r:httpd_sys_content_t:s0" (the contexts I have on my > F-12 box) and of course have to be owned by "backuppc" user. The files in my /var/log/BackupPC were labelled incorrectly and restorecon wasn't changing anything. I don't know why that was but I have fixed that now. Even after that, I was still getting write and connectto denials on /var/log/BackupPC.sock. With the SELinux group's assistant I can now connect to the BackupPc server but now BackupPC is not allowed to read the disk where my backups are located. > On the other hand, I would accept any help improving the Fedora/EPEL > package with a great pleasure. Well I have a little time so I'd be happy to help you. Just tell me how. Thanks, Steve ------------------------------------------------------------------------------ _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/