Bug 758629 - BackupPC SELinux policy can't be loaded
Summary: BackupPC SELinux policy can't be loaded
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: BackupPC
Version: el5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard Shaw
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-30 09:47 UTC by Daniel B
Modified: 2017-04-05 12:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-05 12:37:22 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Daniel B 2011-11-30 09:47:59 UTC 
Description of problem:
After installing BackupPC, the web interface cannot connect to the daemon socket if SELinux is enabled, the error is:

unix connect: Connection refused.

/var/log/audit/audit.log shows:

type=AVC msg=audit(1322646248.364:40626): avc:  denied  { write } for  pid=22020 comm="BackupPC_Admin." name="BackupPC.sock" dev=dm-2 ino=975403 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1322646248.364:40626): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=16404c10 a2=6e a3=0 items=0 ppid=21824 pid=22020 auid=500 uid=48 gid=48 euid=109 suid=109 fsuid=109 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="BackupPC_Admin." exe="/usr/bin/perl" subj=user_u:system_r:httpd_t:s0 key=(null)

In fact, the policy module is not loaded:

[root@backup ~]# semodule -l | grep -i backuppc
[root@backup ~]# 

If I try to manually load the module:

[root@backup ~]# semodule -i /usr/share/selinux/packages/BackupPC/BackupPC.pp 
libsepol.permission_copy_callback: Module BackupPC depends on permission open in class file, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
[root@backup ~]# 


Version-Release number of selected component (if applicable):
CentOS 5.7 x86_64
BackupPC 3.2.1-6

How reproducible:
Allways

Steps to Reproduce:
1. Install BackupPC on a CentOS 5.7 box with SELinux in enforced mode
2. Try to access the web interface
3. Try to manually load the policy module
  
Actual results:
As the policy module can't be loaded, SELinux prevents the web interface from connecting to the daemon socket

Expected results:
The policy module should be laoded, and the web interface should be able to connect to the daemon socket

Additional info:
Comment 1 Bernard Johnson 2012-01-23 00:26:42 UTC 
Can you run this message through audit2allow on your system and tell me what the output is?
Comment 2 Daniel B 2012-01-23 16:12:21 UTC 
Here's the output just after trying to acces the interface:


[root@backup ~]# tail -50 /var/log/audit/audit.log | audit2allow 


#============= httpd_t ==============
allow httpd_t var_run_t:sock_file write;
[root@backup ~]# 


The problem here is that the custom policy module cannot be loaded.
Comment 3 Richard Shaw 2017-04-05 12:37:22 UTC 
If you can reproduce the problem with the current 3.X release let me know but at this point I'm only supporting EL 6 and above on 3.X and 4.X on EL 6 & 7 through COPR since some setup is required after upgrade.
Note You need to log in before you can comment on or make changes to this bug.