Description of problem: When I try to use the web interface to BackupPC, I get selinux violations. Version-Release number of selected component (if applicable): BackupPC is BackupPC-3.0.0-3.fc8, selinux-policy-targeted is 3.0.8-53.fc8 How reproducible: every time Steps to Reproduce: 1. Install BackupPC_Admin under /var/www/cgi-bin (I have it in /var/www/cgi-bin/BackupPC) and set up passwords, etc. 2. Go to it from a browser and login 3. selinux prevents access (but I can use the web interface if I set selinux to permissive) Actual results: sealert reports the following: Summary SELinux is preventing /usr/bin/sperl5.8.8 (httpd_sys_script_t) "setuid" to (httpd_sys_script_t). Detailed Description SELinux denied access requested by /usr/bin/sperl5.8.8. It is not expected that this access is required by /usr/bin/sperl5.8.8 and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:httpd_sys_script_t:s0 Target Context: system_u:system_r:httpd_sys_script_t:s0 Target Objects: None [ capability ] Affected RPM Packages: perl-suidperl-5.8.8-31.fc8 [application] Policy RPM: selinux-policy-3.0.8-47.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: plugins.catchall Host Name: g2 Platform: Linux g2 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 Alert Count: 15 First Seen: Sun 11 Nov 2007 12:18:32 PM EST Last Seen: Thu 15 Nov 2007 08:50:48 PM EST Local ID: 3601b195-d0fb-4477-b969-c6f87a3a5fc9 Line Numbers: Raw Audit Messages : avc: denied { setuid } for comm=sperl5.8.8 egid=48 euid=493 exe=/usr/bin/sperl5.8.8 exit=0 fsgid=48 fsuid=493 gid=48 items=0 pid=3645 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=48 subj=system_u:system_r:httpd_sys_script_t:s0 suid=0 tclass=capability tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 Expected results: should be able to use the web interface without having to set selinux to permissive. Additional info:
As an aside, step 1: 1. Install BackupPC_Admin under /var/www/cgi-bin (I have it in /var/www/cgi-bin/BackupPC) and set up passwords, etc. should really not need to be done manually, and surely should be done by the BackupPC package
Indeed, these step should not be done manually. Installaing BackupPC from RPM avoid SELinux denies. However, this is not a bug, but a simple SELinux misconfiguration from user's part ; see SELinux FAQs or SELinux module shipped with the package.
(In reply to comment #2) > Indeed, these step should not be done manually. Installaing BackupPC from RPM > avoid SELinux denies. > > However, this is not a bug, but a simple SELinux misconfiguration from user's > part ; see SELinux FAQs or SELinux module shipped with the package. Could you clarify this a bit for me? When I install the rpm, nothing gets installed into /var/www/cgi-bin, but /etc/BackupPC/config.pl has $Conf{CgiURL} = 'http://localhost/cgi-bin/BackupPC_Admin' so I assume it's necessary to copy /usr/share/BackupPC/sbin/BackupPC_Admin to /var/www/cgi-bin (or wherever CgiURL points to in the config.pl file). Is this not the case? Moreover, the selinux policy file from the package (installed into /usr/share/selinux/packages/BackupPC/BackupPC.pp) seems to get loaded properly. At least, semodule -l shows "BackupPC 0.0.3". Is it necessary for me to do something besides copy the BackupPC_Admin script to /var/www/cgi-bin and adjust the permissions (and edit config.pl for my hosts, etc.)? As I said in my bug report (or notabug report, I guess), I have BackupPC_Admin working if I set selinux to permissive. The documentation that comes in the rpm says "The CGI interface should have been installed by the configure.pl script in __CGIDIR__/BackupPC_Admin. BackupPC_Admin should have been installed as setuid to the BackupPC user (__BACKUPPCUSER__), in addition to user and group execute permission." When I installed from the tarball, I had to run configure.pl, but this script doesn't even seem to be part of the rpm. Since BackupPC_Admin isn't in the cgi-bin directory, I assumed I had to put it there. Is that incorrect? Should the "yum install BackupPC" have done that? If so, maybe there was a problem when I installed the package. I don't understand much at all about the internals of selinux or the policy language. Or even how to see what the policy in BackupPC.pp really says in some human-readable form. In the past (on FC6), I had installed BackupPC 3.0 from the tarball and I wasn't surprised to run into selinux difficulties. But I thought installing from the rpm would eliminate those, and I guess it should have. But I don't know what I did wrong in configuring things. If I've just missed some piece of the documentation that says what I should have done, please point me to that. Thanks.
Hi, (In reply to comment #3) > Could you clarify this a bit for me? When I install the rpm, nothing gets > installed into /var/www/cgi-bin, but /etc/BackupPC/config.pl has > > $Conf{CgiURL} = 'http://localhost/cgi-bin/BackupPC_Admin' I should change it to 'http://localhost/BackupPC' for the next release, since this is the correct URL. My bad. > so I assume it's necessary to copy /usr/share/BackupPC/sbin/BackupPC_Admin to > /var/www/cgi-bin (or wherever CgiURL points to in the config.pl file). Is this > not the case? It is not. There is a ScriptAlias in the conf file located at /etc/httpd/conf.d/BackupPC.conf, take a look at it ;) > Moreover, the selinux policy file from the package (installed into > /usr/share/selinux/packages/BackupPC/BackupPC.pp) seems to get loaded properly. It is, I've tested on f7 and f8 successfully. > The documentation that comes in the rpm says "The CGI > interface should have been installed by the configure.pl script in > __CGIDIR__/BackupPC_Admin. BackupPC_Admin should have been installed as setuid > to the BackupPC user (__BACKUPPCUSER__), in addition to user and group execute > permission." These path are the defaults for a 'manual' installation, paths in the package are a bit differents, since the CGI interface is installed in /usr/share/BackupPC/sbin/BackupPC_Admin and aliased in the httpd's .conf file. That's why you experience SELinux denials... The policy is setted to /usr/share/BackupPC, not to /var/www/cgi-bin. To have BackupPC fully functionnal from the web interface, you just need to install the RPM and then create at least one user in the '/etc/BackupPC/apache.users' htpasswd file, and that's all. I should add a Fedora.readme file in the next release, but won't make a package update only for this. Hope that helps, feel free to contact me by mail if you have further questions. Regards, Johan
So does it need setuid or not. I threw together some selinux policy files for BackupPC even though I have never used it.
Created attachment 264781 [details] te file
Created attachment 264791 [details] fc file
Created attachment 264801 [details] if file
Created attachment 264811 [details] shell script to install and label
Now that I understand how the package is supposed to be used, it seems to work fine. I was misled by the difference between the documentation installed by the package (which Johan says is to apply only to a "manual" installation) and the way the package does things, as well as by the line in the installed config.pl that matched the documentation. My setup seems to be ok now. (But even if I had never installed BackupPC manually before, I don't know if I would have figured out how to make the package version work, since several things differ from the installation described in the documentation-the Fedora.readme Johan mentions for the next release would be a big help.) Thanks. George