On Tue, 27 Apr 2010 18:23:03 +0200
Johan Cwiklinski <mailings AT x-tnd DOT be> wrote:

> Hello,
> 
> Le 27/04/2010 17:33, Steve Blackwell a écrit :
> > On Mon, 26 Apr 2010 13:02:58 -0400
> > Steve Blackwell <zephod AT cfl.rr DOT com> wrote:
> >
> >   
> >> I'm getting a SELinux AVC when trying to connect to my BackupPC
> >> server.
> >>
> >> I found this bug https://bugzilla.redhat.com/show_bug.cgi?id=512035
> >> and in comment 14 it says it was fixed in BackupPC-3.1.0-6.fc11
> >> whereas I am running:
> >>
> >> # rpm -qa | grep BackupPC
> >> BackupPC-3.1.0-9.fc11.noarch
> >>
> >> and I am still seeing the issue.
> >> The SELinux list suggested that the BackupPC policy might not be
> >> installed by default.
> >>
> >> Can anyone tell the the current status of this problem? Fixed?
> >> Fixed but re-occured? Policy installed by default or no?
> >>     
> > I haven't had an answer to this yet but the folks on the SELinux
> > list gave me some instructions on how to fix it. Unfortunately, it
> > did not fix the problem because according to them the .pid file and
> > the .sock file need to be in the /var/run directory and not
> > in /var/log. Also according to the SELinux folks they requested a
> > long time ago that the BackupPC package maintainer correct this but
> > it has not been done.
> >
> > So, a couple of questions:
> >
> > 1) Who is the Fedora package maintainer for BackupPC?
> >   
> 
> I am.

Hi!

> > 2) Is there some reason or objection to making the changes as
> > requested by SELinux?
> >   
> 
> They do not just ask me to change the pid and lock file ; but also to
> change the binary dir for example, and that is a very huge change in
> the backuppc code I do not know at all (I'm just a packager, not a
> perl dev). Additionnaly, I do not have time to do that for now.
> 
> > 3) Are there any plans to fix the original problem in F11?
> >   
> 
> When I used F-11, I had no problems. I've tested under a VM when the
> bug was reported, that worked for me. I can "quickly" fix PID file
> and LOCK file locations (I did not do that already because it was not
> enought having official selinux rules for the daemon according to
> SELinux team). That may solve your issue, I really do not know, let
> me know on the BZ.

BZ=bugzilla?

I had alway run SELinux in permissive mode because of the problems I
was having. After talking with the SELinux folks and reinstalling the
targeted policy, I am now running in enforcing mode but I'm
experiencing these issues.

> By the way, I'm using backuppc with SELinux enabled under F-12 with
> exactly the same SELinux rules and files location ; and I do not have
> any problems so far.
> 
> Basically, just run "restorecon -R -v /var/log/BackupPC" should does
> the trick ; files under that directory should be labelled 
> "system_u:object_r:httpd_sys_content_t:s0" (the contexts I have on my
> F-12 box) and of course have to be owned by "backuppc" user.

The files in my /var/log/BackupPC were labelled incorrectly and
restorecon wasn't changing anything. I don't know why that was but I
have fixed that now. Even after that, I was still getting write and
connectto denials on /var/log/BackupPC.sock.

With the SELinux group's assistant I can now connect to the
BackupPc server but now BackupPC is not allowed to read the disk where
my backups are located.

> On the other hand, I would accept any help improving the Fedora/EPEL
> package with a great pleasure.

Well I have a little time so I'd be happy to help you. Just tell me how.

Thanks,
Steve

------------------------------------------------------------------------------
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List:    https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:    http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/