Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Webacula cannot execute bconsole

2012-11-21 09:15:26
Subject: Re: [Bacula-users] Webacula cannot execute bconsole
From: Simone Caronni <negativo17 AT gmail DOT com>
To: "Clark, Patricia A." <clarkpa AT ornl DOT gov>
Date: Wed, 21 Nov 2012 15:11:13 +0100 
Can you do the following?
I'm assuming you are on Fedora or RHEL

1) Install the policycoreutils-python
2) Erase the audit log
3) Launch webacula
4) Check for denials

In detail

# yum -y install policycoreutils-python
# > /var/log/audit/audit.log
[start webacula or whatever]
# audit2allow -a

Please paste the output here. Probably it can be fixed by a SELinux
boolean or a context change on the binary.

Regards,
--Simone



On 21 November 2012 14:28, Clark, Patricia A. <clarkpa AT ornl DOT gov> wrote:
>
> From: Ryan Jantz <rjantz AT scifit DOT com<mailto:rjantz AT scifit DOT com>>
> Date: Tuesday, November 20, 2012 6:06 PM
> To: "bacula-users AT lists.sourceforge DOT net<mailto:bacula-users AT 
> lists.sourceforge DOT net>" <bacula-users AT lists.sourceforge DOT 
> net<mailto:bacula-users AT lists.sourceforge DOT net>>
> Subject: Re: [Bacula-users] Webacula cannot execute bconsole
>
> Hello again. So I've been reading and learning (a little) about SELinux 
> today, but I haven't made much progress. Setting selinux to permissive 
> resolves the error. Selinux context on my /var/www/webacula is:
> drwxr-xr-x.  apache apache  system_u:object_r:httpd_sys_content_t:s0
>
> Entries in /var/log/messages are:
> bconsole: bsock.c:135 Unable to connect to Director daemon on localhost:9101. 
> ERR=Permission denied
>
> My interpretation of that error is bconsole is not able to connect to 
> bacula-dir, but I can manually start bconsole. It seems the problem is when 
> apache or webacula tries to start bconsole
>
> Selinux context on /usr/sbin/bacula-dir:
> lrwxrwxrwx.  root root  unconfined_u:object_r:bin_t:s0
>
> Selinux context on /usr/sbin/bconsole
> -rwxr-x---.  root bacula  system_u:object_r:bin_t:s0
>
> I'm not sure what permissions need to be modified. Any ideas?
>
> Thanks
>
> On 11/20/2012 6:31 AM, Ryan Jantz wrote:
> Yes.
>
> I figured out SELinux is the problem. If I disable it, the errors stop. Now 
> to figure out how to configure SELinux so it plays nice with Apache.
>
> Thanks
>
> On Nov 20, 2012, at 2:17 AM, Radosław Korzeniewski <radoslaw AT korzeniewski 
> DOT net<mailto:radoslaw AT korzeniewski DOT net>> wrote:
>
> Hello,
>
> 2012/11/19 Ryan Jantz <rjantz AT scifit DOT com<mailto:rjantz AT scifit DOT 
> com>>
> I am able to run the above command in terminal as root and the apache user 
> without any errors. The apache user is a member of the bacula group.
> (...)
> Any ideas?
>
> Did you restart an apache webserver?
>
> best regards
> --
> Radosław Korzeniewski
> radoslaw AT korzeniewski DOT net<mailto:radoslaw AT korzeniewski DOT net>
> ------------------------------------------------------------------------------
> SELinux is not a simple modify permissions type of fix.  You will need to 
> create the policies within SELinux in order to provide the "permissions" in 
> the extended attributes that allows Webacula to interact with the director.  
> This is not a trivial exercise, but would be quite valuable to the community 
> if successful.  This is why many shops don't consistently use SELinux in 
> enforcing mode.
>
> Patti Clark
> Linux System Administrator
> Research and Development Systems Support Oak Ridge National Laboratory
>
>
>
>
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users



-- 
You cannot discover new oceans unless you have the courage to lose
sight of the shore (R. W. Emerson).

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Webacula cannot execute bconsole, Clark, Patricia A.
Next by Date:  [Bacula-users] Restore Client, Gary Stainburn
Previous by Thread:  Re: [Bacula-users] Webacula cannot execute bconsole, Clark, Patricia A.
Next by Thread:  Re: [Bacula-users] Webacula cannot execute bconsole, Ryan Jantz
Indexes:  [Date] [Thread] [Top] [All Lists]