BackupPC SELinux HELP!

2020-02-18 Thread Richard Shaw 
I've got a bug report[1] I've been trying to figure out but have not been
able to figure it out.

I keep re-teaching myself SELinux every time I run into a problem but this
one is just too convoluted. For those that don't know BackupPC is perl
based (which doesn't application of selinux contexts) so I have to compile
a C wrapper, and then all of it is run through apache.

The existing selinux settings in the spec file[2] have worked well for many
years across multiple Fedora and EPEL releases until now...

So is initrc_t still appropriate? Or is there a systemd equivalent? And is
that what he's suggesting?

I tried applying his patch to the spec but it broke BackupPC on my CentOS 7
server even though it's systemD based.

I've played with creating a service domain for backuppc but not sure if I
need to go that far since everything is run through httpd...

Thanks,
Richard

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1791369
[2] https://src.fedoraproject.org/rpms/BackupPC/blob/master/f/BackupPC.spec
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Re: BackupPC selinux help

2019-09-04 Thread John Florian 

On 2019-09-04 10:40, Richard Shaw wrote:
On Wed, Sep 4, 2019 at 9:36 AM John Florian > wrote:


On 2019-08-30 13:51, Richard Shaw wrote:
> He's already tried restorecon, changed from a symlink to a bind
mount
> (for the backup root)...

Maybe a dumb Q, but have you tried doing the same?  Maybe it's
your host
that's not per defaults.


I'm not quite sure what you mean. I don't have the problem with my 
install and I haven't been able to reproduce the problem.
I mean have *you* ran restorecon?  Could it be that your host is simply 
mislabeled?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Re: BackupPC selinux help

2019-09-04 Thread Richard Shaw 
On Wed, Sep 4, 2019 at 9:36 AM John Florian  wrote:

> On 2019-08-30 13:51, Richard Shaw wrote:
> > He's already tried restorecon, changed from a symlink to a bind mount
> > (for the backup root)...
>
> Maybe a dumb Q, but have you tried doing the same?  Maybe it's your host
> that's not per defaults.
>

I'm not quite sure what you mean. I don't have the problem with my install
and I haven't been able to reproduce the problem.

Thanks,
Richard
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Re: BackupPC selinux help

2019-09-04 Thread John Florian 

On 2019-08-30 13:51, Richard Shaw wrote:
He's already tried restorecon, changed from a symlink to a bind mount 
(for the backup root)...



Maybe a dumb Q, but have you tried doing the same?  Maybe it's your host 
that's not per defaults.

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

BackupPC selinux help

2019-08-30 Thread Richard Shaw 
I've got a bug report[1] for BackupPC where the user is having issues with
AVC denials when browsing hosts.

This is actually from my COPR but it's the same SRPM I use for Fedora.
There are almost 50k downloads and this is the only report of a problem so
I don't think there's a fundamental issue with the package but I would
still like to help them out.

They are getting AVC denials when browsing hosts which seems to cause
BackupPC_Admin to write LOCK files in the subdirectories of
/var/lib/BackupPC/. I can find plenty of LOCK files written in my instance
of BackupPC on Centos 7 (same as the user) but NO AVC denials for me.

Here's a snippit from the bug:

$ sudo tail -f /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1567181425.724:40002): avc:  denied  { write } for
 pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=336086870
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567181425.730:40003): avc:  denied  { write } for
 pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=109977609
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
...

It happens one for every host he backs up so the inodes are different but
the error is the same for all.

Currently the selinux policy built into the package doesn't modify
/var/lib/BackupPC but in my experience it hasn't needed to.

He's already tried restorecon, changed from a symlink to a bind mount (for
the backup root)...

I'm hesitant to modify the the selinux policy when I can reproduce the
problem...

Ideas?


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1746598
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org