SELinux vs BackupPC web interface
John Summerfield
debian at herakles.homelinux.org
Fri Nov 16 03:49:55 UTC 2007
George Avrunin wrote:
> I have BackupPC-3.0.0-3.fc8 installed on a fully updated Fedora 8
> machine (clean install, not an upgrade). I have put the BackupPC_Admin
> script (the web interface) in /var/www/cgi-bin/BackupPC/, which is
> where I had it in a non-rpm installation under FC 6, which is what I
> had on this machine before F8.
>
> By fiddling with booleans, I had gotten the web interface to run fine under
> FC6. But now I have to set selinux to permissive to use the web
> interface. I get the following sort of thing in sealert:
>
> Summary
> SELinux is preventing /usr/bin/sperl5.8.8 (httpd_sys_script_t)
> "setuid" to (httpd_sys_script_t).
>
> Detailed Description
> SELinux denied access requested by /usr/bin/sperl5.8.8. It is not
> expected that this access is required by /usr/bin/sperl5.8.8 and this
> access may signal an intrusion attempt. It is also possible that the
> specific version or configuration of the application is causing it to
> require additional access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see FAQ
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a bug report against this
> package.
>
> Additional Information
>
> Source Context: system_u:system_r:httpd_sys_script_t:s0
> Target Context: system_u:system_r:httpd_sys_script_t:s0
> Target Objects: None [ capability ]
> Affected RPM Packages: perl-suidperl-5.8.8-31.fc8 [application]
> Policy RPM: selinux-policy-3.0.8-47.fc8
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Permissive
> Plugin Name: plugins.catchall
> Host Name: g2
> Platform: Linux g2 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007
> i686 i686
> Alert Count: 15
> First Seen: Sun 11 Nov 2007 12:18:32 PM EST
> Last Seen: Thu 15 Nov 2007 08:50:48 PM EST
> Local ID: 3601b195-d0fb-4477-b969-c6f87a3a5fc9
> Line Numbers:
>
> Raw Audit Messages :
>
> avc: denied { setuid } for comm=sperl5.8.8 egid=48 euid=493
> exe=/usr/bin/sperl5.8.8 exit=0 fsgid=48 fsuid=493 gid=48 items=0
> pid=3645 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=48
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=0 tclass=capability
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
>
> For now, I'm working around it by setting selinux to permissive while
> I use the web interface, and then setting it back to enforcing. But
> I'd rather sort out why it's not working--I've probably missed some
> obvious configuration setting. I would be grateful for any
> suggestions for straightening this out.
>
> Thanks,
>
> George
>
I take it the script begins
#!/usr/bin/sperl
Change it to
#!/usr/bin/perl
and see what you see.
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
More information about the fedora-list
mailing list