Bug 473523
| Summary: | selinux breaks backuppc, Now in FC10 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | matthew |
| Component: | BackupPC | Assignee: | Johan Cwiklinski <fedora> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 10 | CC: | fedora |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-11-29 08:56:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I cannot reproduce the issue here. I've installed BackupPC on a fresh F10 install, just added an admin user for the web interface and all goes well ; I'm able to access the web interface, add hosts, ... Did you try to 'restorecon -R -v /etc/BackupPC' ? You should also try 'restorecon -R -v /var/log/BackupPC'. Ah. I had run the first, but not the second command during my troubleshooting. I am embarassed to say that 'restorecon -R -v /var/log/BackupPC' did the trick, which means that is not a bug so much as it is tech support. Although I do wonder how I broke it on a fresh install. Thank you very much for your assistance. I'll try to find some real bugs now :-) |
Description of problem: This is possibly an issue that was resolved in the current FC9 with all updates -- I have an FC9 server running backuppc from RPM and SELINUX enforcing that works fine. In FC10 however selinux causes the web management interface to fail. But attempting to run audit2allow, the problem does not resolve. I can access the interface when I have set selinux to PERMISSIVE. Then I get the following messages in /var/log/audit/audit.log type=AVC msg=audit(1227925707.965:93): avc: denied { unlink } for pid=2739 comm="perl5.10.0" name="hosts.old" dev=dm-0 ino=6856802 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1227925707.965:93): arch=40000003 syscall=10 success=yes exit=0 a0=9813664 a1=97457a0 a2=39f74c a3=9813664 items=0 ppid=2557 pid=2739 auid=0 uid=48 gid=48 euid=494 suid=494 fsuid=494 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Version-Release number of selected component (if applicable): BackupPC-3.1.0-3.fc10.noarch How reproducible: I installed BackupPC during a clean installation of FC10, I did the bare configuration to get service running: Use htpasswd to add an admin user to /etc/BackupPC/apache.users. Add the same user to the variable defining an admin user in /etc/BackupPC/config.pl file $Conf{CgiAdminUsers} = 'administrator'; Change the allow directive in /etc/httpd/conf.d/BackupPC.conf to permit access to the web interface from the LAN. Restart httpd and backuppc Steps to Reproduce: 1. The above steps are sufficient to access the web management if SELINUX is in permissive mode. 2. audit2allow corrects an apparent issue with http access to the directory but continues to interfere with perl if I understand the audit.log message. #audit2allow -a #============= httpd_t ============== allow httpd_t httpd_sys_content_t:file { write rename create }; allow httpd_t var_log_t:sock_file write; Actual results: after logon to the web interface, a message appears: "Error, Unable to connect to BackupPC server." Expected results: after logon to the web interface, I would be able to edit the configuration and monitor backups. Additional info: Thank you.