Re: [BackupPC-users] BackupPC_Admin cannot write to LOCK

Ray Frush Wed, 28 Aug 2019 09:59:34 -0700


Our setup is a little different that yours, but this is the SELinux module I 
deploy to my BackupPC server with these steps:
semodule -r backuppc
checkmodule -M -m -o /tmp/backuppc.mod /tmp/backuppc.te
semodule_package -o /tmp/backuppc.pp -m /tmp/backuppc.mod
semodule -i /tmp/backuppc.pp


We also set these SELinux Booleans
setsebool httpd_read_user_content 1
setsebool httpd_use_nfs 1    # our data store is on NFS


Contents of /tmp/backuppc.te:

module backuppc 1.0;

require {
    type etc_t;
    type var_log_t;
    type net_conf_t;
    type user_tmp_t;
    type httpd_sys_script_t;
    class file { write rename read create unlink open };
    class dir { search read write getattr remove_name open add_name };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t etc_t:dir { write search read open getattr add_name 
remove_name };
allow httpd_sys_script_t etc_t:file { write rename create unlink };
allow httpd_sys_script_t var_log_t:dir read;
allow httpd_sys_script_t var_log_t:file { read open };
allow httpd_sys_script_t net_conf_t:file { read write open rename create unlink 
};
allow httpd_sys_script_t user_tmp_t:dir { write search read open getattr 
add_name remove_name };
allow httpd_sys_script_t user_tmp_t:file { write rename create unlink };



> On Aug 28, 2019, at 09:45, Jamie Burchell <ja...@ib3.uk> wrote:
> 
> Hi
>  
> I’m having trouble with SELinux reporting:
>  
> avc:  denied  { write } for  pid=15496 comm="BackupPC_Admin" name="LOCK" 
> dev="sda1" ino=201443561 scontext=system_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
>  
> The issue (and supposed answer) is mentioned here:
>  
> https://lists.fedoraproject.org/pipermail/selinux/2013-March/015287.html 
> <https://lists.fedoraproject.org/pipermail/selinux/2013-March/015287.html>
>  
> I have replaced /var/lib/BackupPC with a symlink to 
> /mnt/volume_lon1_01_part1/BackupPC
>  
> As far as I can tell, the default context for /var/lib/BackupPC is 
> “system_u:object_r:var_lib_t:s0” and this is what I have set on 
> “/mnt/volume_lon1_01_part1/BackupPC”.
>  
> So the context appears to be correct, and I’ve run restorecon -R 
> /var/lib/BackupPC but the messages still persist.
>  
> Anybody know how to fix this?
>  
> I should mention that everything appears to be working fine.
>  
> Thanks,
> Jamie
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users@lists.sourceforge.net 
> <mailto:BackupPC-users@lists.sourceforge.net>
> List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users 
> <https://lists.sourceforge.net/lists/listinfo/backuppc-users>
> Wiki:    http://backuppc.wiki.sourceforge.net 
> <http://backuppc.wiki.sourceforge.net/>
> Project: http://backuppc.sourceforge.net/ <http://backuppc.sourceforge.net/>

_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] BackupPC_Admin cannot write to LOCK

Reply via email to