SELinux for BackupPC

Daniel J Walsh dwalsh at
Tue Sep 18 16:58:18 UTC 2007

Hash: SHA1

Johan Cwiklinski wrote:
> Hi,
> I'm currently re-packaging BackupPC[1], a perl backup software server.
> As BackupPC need to use, for example, rsync or tar to backup itself,
> wich cause SELinux denies. There also is a CGI interface to manage
> backups/restore and config.
> As I'm not at all a SELinux guru, I've used 'audit2allow' to create a
> selinux policy module included in my specfile, but I don't know if this
> is the good way, and even if my policy module should causes issues...
> I'd like you to have advices related to SELinux integration in this RPM
> file. I'll put online actual policy file[2], as I use it in the specfile[3]
> I'd also like opinions on the best way to include an SELinux policy for
> this software.
> Regards,
> Johan
> [1]
> [2]
> [3]
No alot of these rules are not good.  Could you attach the audit log you
used to create this.

You probably need a context for this

allow httpd_t etc_t:dir write;
and these
allow httpd_t usr_t:dir { write add_name };
allow httpd_t usr_t:file { write create };

Could be as simple as

chcon -t httpd_sys_content_rw_t PATHTODIR

I take it this is the socket file that BackupPC is creating.  I think
you need a policy for this, and then BackupPC could label it
appropriately and allow httpd to communicate with it.

allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_log_t:sock_file write;

Not sure what these are either.

allow httpd_t httpd_log_t:sock_file write;
allow httpd_t httpd_sys_content_t:sock_file write;
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the fedora-devel-list mailing list