Re: [BackupPC-users] SELinux preventing server connection.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello,

Le 27/04/2010 17:33, Steve Blackwell a écrit :
> On Mon, 26 Apr 2010 13:02:58 -0400
> Steve Blackwell <ze...@cf...> wrote:
>
>   
>> I'm getting a SELinux AVC when trying to connect to my BackupPC
>> server.
>>
>> I found this bug https://bugzilla.redhat.com/show_bug.cgi?id=512035
>> and in comment 14 it says it was fixed in BackupPC-3.1.0-6.fc11
>> whereas I am running:
>>
>> # rpm -qa | grep BackupPC
>> BackupPC-3.1.0-9.fc11.noarch
>>
>> and I am still seeing the issue.
>> The SELinux list suggested that the BackupPC policy might not be
>> installed by default.
>>
>> Can anyone tell the the current status of this problem? Fixed? Fixed
>> but re-occured? Policy installed by default or no?
>>     
> I haven't had an answer to this yet but the folks on the SELinux list
> gave me some instructions on how to fix it. Unfortunately, it did not
> fix the problem because according to them the .pid file and the .sock
> file need to be in the /var/run directory and not in /var/log. Also
> according to the SELinux folks they requested a long time ago that the
> BackupPC package maintainer correct this but it has not been done.
>
> So, a couple of questions:
>
> 1) Who is the Fedora package maintainer for BackupPC?
>   

I am.

> 2) Is there some reason or objection to making the changes as requested
> by SELinux?
>   

They do not just ask me to change the pid and lock file ; but also to
change the binary dir for example, and that is a very huge change in the
backuppc code I do not know at all (I'm just a packager, not a perl
dev). Additionnaly, I do not have time to do that for now.

> 3) Are there any plans to fix the original problem in F11?
>   

When I used F-11, I had no problems. I've tested under a VM when the bug
was reported, that worked for me. I can "quickly" fix PID file and LOCK
file locations (I did not do that already because it was not enought
having official selinux rules for the daemon according to SELinux team).
That may solve your issue, I really do not know, let me know on the BZ.

By the way, I'm using backuppc with SELinux enabled under F-12 with
exactly the same SELinux rules and files location ; and I do not have
any problems so far.

Basically, just run "restorecon -R -v /var/log/BackupPC" should does the
trick ; files under that directory should be labelled 
"system_u:object_r:httpd_sys_content_t:s0" (the contexts I have on my
F-12 box) and of course have to be owned by "backuppc" user.

On the other hand, I would accept any help improving the Fedora/EPEL
package with a great pleasure.

> Thanks,
> Steve
>   

Regards,
Johan