Our setup is a little different that yours, but this is the SELinux module I
deploy to my BackupPC server with these steps:
semodule -r backuppc
checkmodule -M -m -o /tmp/backuppc.mod /tmp/backuppc.te
semodule_package -o /tmp/backuppc.pp -m /tmp/backuppc.mod
semodule -i /tmp/backuppc.pp
We also set these SELinux Booleans
setsebool httpd_read_user_content 1
setsebool httpd_use_nfs 1 # our data store is on NFS
Contents of /tmp/backuppc.te:
module backuppc 1.0;
require {
type etc_t;
type var_log_t;
type net_conf_t;
type user_tmp_t;
type httpd_sys_script_t;
class file { write rename read create unlink open };
class dir { search read write getattr remove_name open add_name };
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t etc_t:dir { write search read open getattr add_name
remove_name };
allow httpd_sys_script_t etc_t:file { write rename create unlink };
allow httpd_sys_script_t var_log_t:dir read;
allow httpd_sys_script_t var_log_t:file { read open };
allow httpd_sys_script_t net_conf_t:file { read write open rename create unlink
};
allow httpd_sys_script_t user_tmp_t:dir { write search read open getattr
add_name remove_name };
allow httpd_sys_script_t user_tmp_t:file { write rename create unlink };
> On Aug 28, 2019, at 09:45, Jamie Burchell <[email protected]> wrote:
>
> Hi
>
> I’m having trouble with SELinux reporting:
>
> avc: denied { write } for pid=15496 comm="BackupPC_Admin" name="LOCK"
> dev="sda1" ino=201443561 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
>
> The issue (and supposed answer) is mentioned here:
>
> https://lists.fedoraproject.org/pipermail/selinux/2013-March/015287.html
> <https://lists.fedoraproject.org/pipermail/selinux/2013-March/015287.html>
>
> I have replaced /var/lib/BackupPC with a symlink to
> /mnt/volume_lon1_01_part1/BackupPC
>
> As far as I can tell, the default context for /var/lib/BackupPC is
> “system_u:object_r:var_lib_t:s0” and this is what I have set on
> “/mnt/volume_lon1_01_part1/BackupPC”.
>
> So the context appears to be correct, and I’ve run restorecon -R
> /var/lib/BackupPC but the messages still persist.
>
> Anybody know how to fix this?
>
> I should mention that everything appears to be working fine.
>
> Thanks,
> Jamie
> _______________________________________________
> BackupPC-users mailing list
> [email protected]
> <mailto:[email protected]>
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> <https://lists.sourceforge.net/lists/listinfo/backuppc-users>
> Wiki: http://backuppc.wiki.sourceforge.net
> <http://backuppc.wiki.sourceforge.net/>
> Project: http://backuppc.sourceforge.net/ <http://backuppc.sourceforge.net/>
_______________________________________________
BackupPC-users mailing list
[email protected]
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
