473523 – selinux breaks backuppc, Now in FC10

Bug 473523 - selinux breaks backuppc, Now in FC10

Summary: selinux breaks backuppc, Now in FC10

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	BackupPC
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Johan Cwiklinski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-11-29 03:23 UTC by matthew
Modified:	2008-11-29 08:56 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-29 08:56:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description matthew 2008-11-29 03:23:21 UTC

Description of problem:

This is possibly an issue that was resolved in the current FC9 with all updates -- I have an FC9 server running backuppc from RPM and SELINUX enforcing that works fine.

In FC10 however selinux causes the web management interface to fail.  But attempting to run audit2allow, the problem does not resolve.  I can access the interface when I have set selinux to PERMISSIVE.  Then I get the following messages in /var/log/audit/audit.log

type=AVC msg=audit(1227925707.965:93): avc:  denied  { unlink } for  pid=2739 comm="perl5.10.0" name="hosts.old" dev=dm-0 ino=6856802 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1227925707.965:93): arch=40000003 syscall=10 success=yes exit=0 a0=9813664 a1=97457a0 a2=39f74c a3=9813664 items=0 ppid=2557 pid=2739 auid=0 uid=48 gid=48 euid=494 suid=494 fsuid=494 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="perl5.10.0" exe="/usr/bin/perl5.10.0" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Version-Release number of selected component (if applicable):

BackupPC-3.1.0-3.fc10.noarch

How reproducible:

I installed BackupPC during a clean installation of FC10, 
I did the bare configuration to get service running:  

Use htpasswd to add an admin user to /etc/BackupPC/apache.users.  

Add the same user to the variable defining an admin user in 
/etc/BackupPC/config.pl file 
  $Conf{CgiAdminUsers} = 'administrator';

Change the allow directive in /etc/httpd/conf.d/BackupPC.conf to permit access to the web interface from the LAN.

Restart httpd and backuppc

Steps to Reproduce:
1.  The above steps are sufficient to access the web management if SELINUX is in permissive mode.

2.  audit2allow corrects an apparent issue with http access to the directory but continues to interfere with perl if I understand the audit.log message.

#audit2allow -a

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:file { write rename create };
allow httpd_t var_log_t:sock_file write;
  
Actual results:

after logon to the web interface, a message appears:
"Error, Unable to connect to BackupPC server."

Expected results:
after logon to the web interface, I would be able to edit the configuration and monitor backups.

Additional info:

Thank you.

Comment 1 Johan Cwiklinski 2008-11-29 08:35:31 UTC

I cannot reproduce the issue here.

I've installed BackupPC on a fresh F10 install, just added an admin user for the web interface and all goes well ; I'm able to access the web interface, add hosts, ...

Did you try to 'restorecon -R -v /etc/BackupPC' ? You should also try 'restorecon -R -v /var/log/BackupPC'.

Comment 2 matthew 2008-11-29 08:56:33 UTC

Ah.  I had run the first, but not the second command during my troubleshooting.

I am embarassed to say that 'restorecon -R -v /var/log/BackupPC' did the trick, which means that is not a bug so much as it is tech support.  Although I do wonder how I broke it on a fresh install.

Thank you very much for your assistance.  

I'll try to find some real bugs now :-)

Note You need to log in before you can comment on or make changes to this bug.