SELinux for BackupPC

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johan Cwiklinski wrote:
> Hi,
> 
> I'm currently re-packaging BackupPC[1], a perl backup software server.
> 
> As BackupPC need to use, for example, rsync or tar to backup itself,
> wich cause SELinux denies. There also is a CGI interface to manage
> backups/restore and config.
> 
> As I'm not at all a SELinux guru, I've used 'audit2allow' to create a
> selinux policy module included in my specfile, but I don't know if this
> is the good way, and even if my policy module should causes issues...
> 
> I'd like you to have advices related to SELinux integration in this RPM
> file. I'll put online actual policy file[2], as I use it in the specfile[3]
> I'd also like opinions on the best way to include an SELinux policy for
> this software.
> 
> Regards,
> Johan
> 
> [1] http://backuppc.sourceforge.net
> [2] http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.te
> [3] http://odysseus.x-tnd.be/fedora/backuppc/BackupPC.spec
> 
> 
No alot of these rules are not good.  Could you attach the audit log you
used to create this.

You probably need a context for this

allow httpd_t etc_t:dir write;
and these
allow httpd_t usr_t:dir { write add_name };
allow httpd_t usr_t:file { write create };

Could be as simple as

chcon -t httpd_sys_content_rw_t PATHTODIR

I take it this is the socket file that BackupPC is creating.  I think
you need a policy for this, and then BackupPC could label it
appropriately and allow httpd to communicate with it.

allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_log_t:sock_file write;


Not sure what these are either.

allow httpd_t httpd_log_t:sock_file write;
allow httpd_t httpd_sys_content_t:sock_file write;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG8AOqrlYvE4MpobMRAl3UAKDD0uW2lWT9j2Ql3KediEC4g60XfQCeJW54
hQ2ka7VvyEcd2ssc41iVmCM=
=ZwuW
-----END PGP SIGNATURE-----