[CentOS] BackupPC 3.1.0 on CentOS 5.2 triggers SE Linux denial

Fri Aug 1 11:46:40 UTC 2008
Johnny Hughes <johnny at centos.org>

Johnny Hughes wrote:
> Johnny Hughes wrote:
>> Aleksey Tsalolikhin wrote:
>>> Hi.   I've installed BackupPC 3.1.0 from Testing repository, to Cent
>>> OS 5.2 x86_64, and I am hitting an SE Linux denial - the httpd cannot
>>> talk to the BackupPC socket:
>>>
>>> type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc:  denied  {
>>> connectto } for  pid=11767 comm=httpd
>>> path=/var/log/BackupPC/BackupPC.sock
>>> scontext=user_u:system_r:httpd_t:s0
>>> tcontext=user_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>>>
>>> type=AVC msg=audit(07/31/2008 17:18:53.623:410) : avc:  denied  {
>>> write } for  pid=11767 comm=httpd name=BackupPC.sock dev=md0
>>> ino=39813253 scontext=user_u:system_r:httpd_t:s0
>>> tcontext=user_u:object_r:var_log_t:s0 tclass=sock_file
>>>
>>> Is there an easy way to fix this, like setting the BackupPC.sock file
>>> universally writeable?  I don't know SE Linux and right now my
>>> objective is to get BackupPC up and running.
>>>
>>> I've turned SE Linux off for now, but that's temporary until I get a
>>> more targeted fix.
>>
>> if you take the text file that contains the issues, and use this 
>> command, it will tell you what to do:
>>
>> audit2allow -i <path_to_file>
>>
>> in this case, it says to do this:
>>
>> allow httpd_t initrc_t:unix_stream_socket connectto;
>> allow httpd_t var_log_t:sock_file write;
>>
> 
> To finish this up ...
> 
> audit2allow -i <path_to_file> -M backkuppc
> 

CRAP ... that should be backuppc :D

> then
> 
> semodule -i backuppc.pp
> 
> that should install the new module ...
> 
> see "man audit2allow" and "man semodule" for more info


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080801/b45cb7e9/attachment-0005.sig>