SELinux for BackupPC
Daniel J Walsh
dwalsh at redhat.com
Sat Sep 22 10:46:39 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johan Cwiklinski wrote:
> Hello,
>
> First of all, thanks for your advices.
>
> It seems that I've not used the right approach for this policy module. I
> was using the following :
>
> grep http /var/log/audit/audit.log | audit2allow -M mybackuppc
>
> But this command also catches SELinux denies which are not relevant to BackupPC.
>
> So, I've restarted from scratch, and now use :
> audit2allow -m BackupPC -l -i /var/log/audit/audit.log > BackupPC.te
>
> Which only takes the latests entries.
>
> This way, I've removed some entries I did not understand (such as iso9660_t), and were not appropriate here.
>
>
> Daniel J Walsh a écrit :
>> No alot of these rules are not good. Could you attach the audit log you
>> used to create this.
> These rules were build on two different machines (my laptop and the one
> were BackupPC is installed for backups).
> So as I've rebuild my rules from scratch, the log file is available on
> my web server (see links below).
>> You probably need a context for this
>>
>> allow httpd_t etc_t:dir write;
>> and these
>> allow httpd_t usr_t:dir { write add_name };
>> allow httpd_t usr_t:file { write create };
>>
>> Could be as simple as
>>
>> chcon -t httpd_sys_content_rw_t PATHTODIR
> These one gives me an invalid argument... I've used
> "httpd_sys_script_rw_t" instead, am I right ?
> Also, I were able to remove these three 'allow' entries from my .te and
> put only the context in .fc file.
Yes, sorry about that.
>> I take it this is the socket file that BackupPC is creating. I think
>> you need a policy for this, and then BackupPC could label it
>> appropriately and allow httpd to communicate with it.
>>
>> allow httpd_t initrc_t:unix_stream_socket connectto;
>> allow httpd_t var_log_t:sock_file write;
> Indeed, these ones are for the .sock file BackupPC creates at startup.
> I don't understand what exactly you mean by 'a policy for this'...
>> Not sure what these are either.
>>
>> allow httpd_t httpd_log_t:sock_file write;
>> allow httpd_t httpd_sys_content_t:sock_file write;
> It's only a mistake, I had first to put 'sock_file write' for the .sock
> file, and then I've changed its context. Doing this, the first rule
> becomes obsolete, and audit2allow gave me the second...
>
> New file are here :
> - audit.log : http://odysseus.x-tnd.be/fedora/backuppc/audit.log
> - .te file : http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.te
> - .fc file : http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.fc
> - old .te and .fc (from my preceding message) :
> http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.te.old
> - spec file : http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.spec
>
> All seems to work correctly with these rules, I wish I made no mistakes
> this time... :-)
>
> Regards,
> Johan
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG9PKPrlYvE4MpobMRAnSxAJ9Cb0KjXEEw6wnD0l+ajUWuIR0AVwCgyNfU
PRiI845fHgQHlfEy/31GyZY=
=J+Md
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list