From: Johan C. <mai...@x-...> - 2010-04-27 16:49:53
|
Hello, Le 27/04/2010 17:33, Steve Blackwell a écrit : > On Mon, 26 Apr 2010 13:02:58 -0400 > Steve Blackwell <ze...@cf...> wrote: > > >> I'm getting a SELinux AVC when trying to connect to my BackupPC >> server. >> >> I found this bug https://bugzilla.redhat.com/show_bug.cgi?id=512035 >> and in comment 14 it says it was fixed in BackupPC-3.1.0-6.fc11 >> whereas I am running: >> >> # rpm -qa | grep BackupPC >> BackupPC-3.1.0-9.fc11.noarch >> >> and I am still seeing the issue. >> The SELinux list suggested that the BackupPC policy might not be >> installed by default. >> >> Can anyone tell the the current status of this problem? Fixed? Fixed >> but re-occured? Policy installed by default or no? >> > I haven't had an answer to this yet but the folks on the SELinux list > gave me some instructions on how to fix it. Unfortunately, it did not > fix the problem because according to them the .pid file and the .sock > file need to be in the /var/run directory and not in /var/log. Also > according to the SELinux folks they requested a long time ago that the > BackupPC package maintainer correct this but it has not been done. > > So, a couple of questions: > > 1) Who is the Fedora package maintainer for BackupPC? > I am. > 2) Is there some reason or objection to making the changes as requested > by SELinux? > They do not just ask me to change the pid and lock file ; but also to change the binary dir for example, and that is a very huge change in the backuppc code I do not know at all (I'm just a packager, not a perl dev). Additionnaly, I do not have time to do that for now. > 3) Are there any plans to fix the original problem in F11? > When I used F-11, I had no problems. I've tested under a VM when the bug was reported, that worked for me. I can "quickly" fix PID file and LOCK file locations (I did not do that already because it was not enought having official selinux rules for the daemon according to SELinux team). That may solve your issue, I really do not know, let me know on the BZ. By the way, I'm using backuppc with SELinux enabled under F-12 with exactly the same SELinux rules and files location ; and I do not have any problems so far. Basically, just run "restorecon -R -v /var/log/BackupPC" should does the trick ; files under that directory should be labelled "system_u:object_r:httpd_sys_content_t:s0" (the contexts I have on my F-12 box) and of course have to be owned by "backuppc" user. On the other hand, I would accept any help improving the Fedora/EPEL package with a great pleasure. > Thanks, > Steve > Regards, Johan |