Bug 1791369

Summary: selinux-policy of BackupPC needs update
Product: [Fedora] Fedora Reporter: Fritz Elfert <fritz>
Component: BackupPCAssignee: Richard Shaw <hobbes1069>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 31CC: hobbes1069, kevin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: BackupPC-4.3.2-1.fc31 BackupPC-4.3.2-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-27 17:29:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch which fixes the bug none

Description Fritz Elfert 2020-01-15 16:33:03 UTC
Description of problem:
selinux policy prevents BackupPC's GUI from working.


Version-Release number of selected component (if applicable):
4.3.1-3

How reproducible:
always

Steps to Reproduce:
1. Visit the BackupPC GUI and click on "Host Summary"
2.
3.

Actual results:
The following error is shown (reduced to the relevant lines):
This CGI script (/BackupPC) is unable to connect to the BackupPC server on localhost port -1.
The error was: unix connect to /var/run/BackupPC/BackupPC.sock: Permission denied.


Expected results:
The host summary page is shown


Additional info:
There is already an entry in selinux/BackupPC.te which handled this in the past, however the server process now appears to run with a different context:

ps axZ | grep BackupPC
system_u:system_r:unconfined_service_t:s0 8947 ? Ss     0:00 /usr/bin/perl /usr/share/BackupPC/bin/BackupPC

Previusly, it ran in initrc_t context.
So basically, just replace all occurences of "initrc_t" by "unconfined_service_t " in selinux/BackupPC.te and it will work again.
I did NOT test it on Fedora 30!

Comment 1 Richard Shaw 2020-01-15 16:36:54 UTC
Let me see if I can reproduce on a clean install in a VM. I try to be very careful with changes to the selinux stuff. I don't fully understand it :)

Comment 2 Fritz Elfert 2020-01-15 17:21:38 UTC
BTW: I *did* test it on a freshly installed F31-VM :-)

Oh and while testing install in that VM, I got the following (which I overlooked previously):

/usr/lib/tmpfiles.d/BackupPC.conf:1: Line references path below legacy directory /var/run/, updating /var/run/BackupPC → /run/BackupPC; please update the tmpfiles.d/ drop-in file accordingly.

So: That should be updated as well :-)

Comment 3 Fritz Elfert 2020-01-15 17:26:20 UTC
Created attachment 1652515 [details]
Patch which fixes the bug

Comment 4 Richard Shaw 2020-01-23 15:25:31 UTC
I haven't forgotten about this but haven't had time to look into it either. Since I have maintained BackupPC I have not needed a different SELinux policy between Fedora releases (or CentOS) and I would rather not have release specific settings.

Comment 5 Richard Shaw 2020-02-18 21:46:39 UTC
I finally got around to testing the changes on my CentOS 7 box and everything looks OK so I'm going to do official builds. Hopefully nothing breaks :)

Comment 6 Fedora Update System 2020-02-19 03:08:30 UTC
FEDORA-2020-18c7d01dcf has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-18c7d01dcf

Comment 7 Fedora Update System 2020-02-20 05:11:47 UTC
BackupPC-4.3.2-1.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-7536856c92

Comment 8 Fedora Update System 2020-02-20 05:44:56 UTC
BackupPC-4.3.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-18c7d01dcf

Comment 9 Fedora Update System 2020-02-27 17:29:25 UTC
BackupPC-4.3.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2020-03-06 01:11:50 UTC
BackupPC-4.3.2-1.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.