| Summary: | BackupPC SELinux policy can't be loaded | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Daniel B <dani-rh> |
| Component: | BackupPC | Assignee: | Richard Shaw <hobbes1069> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | el5 | CC: | bjohnson, hobbes1069 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-05 12:37:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Can you run this message through audit2allow on your system and tell me what the output is? Here's the output just after trying to acces the interface: [root@backup ~]# tail -50 /var/log/audit/audit.log | audit2allow #============= httpd_t ============== allow httpd_t var_run_t:sock_file write; [root@backup ~]# The problem here is that the custom policy module cannot be loaded. If you can reproduce the problem with the current 3.X release let me know but at this point I'm only supporting EL 6 and above on 3.X and 4.X on EL 6 & 7 through COPR since some setup is required after upgrade. |
Description of problem: After installing BackupPC, the web interface cannot connect to the daemon socket if SELinux is enabled, the error is: unix connect: Connection refused. /var/log/audit/audit.log shows: type=AVC msg=audit(1322646248.364:40626): avc: denied { write } for pid=22020 comm="BackupPC_Admin." name="BackupPC.sock" dev=dm-2 ino=975403 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1322646248.364:40626): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=16404c10 a2=6e a3=0 items=0 ppid=21824 pid=22020 auid=500 uid=48 gid=48 euid=109 suid=109 fsuid=109 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="BackupPC_Admin." exe="/usr/bin/perl" subj=user_u:system_r:httpd_t:s0 key=(null) In fact, the policy module is not loaded: [root@backup ~]# semodule -l | grep -i backuppc [root@backup ~]# If I try to manually load the module: [root@backup ~]# semodule -i /usr/share/selinux/packages/BackupPC/BackupPC.pp libsepol.permission_copy_callback: Module BackupPC depends on permission open in class file, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! [root@backup ~]# Version-Release number of selected component (if applicable): CentOS 5.7 x86_64 BackupPC 3.2.1-6 How reproducible: Allways Steps to Reproduce: 1. Install BackupPC on a CentOS 5.7 box with SELinux in enforced mode 2. Try to access the web interface 3. Try to manually load the policy module Actual results: As the policy module can't be loaded, SELinux prevents the web interface from connecting to the daemon socket Expected results: The policy module should be laoded, and the web interface should be able to connect to the daemon socket Additional info: