Thanks for those details. There does appear to be a policy in place already
(/usr/share/selinux/packages/BackupPC/BackupPC.pp)
# semanage fcontext -l | grep BackupPC
/etc/BackupPC(/.*)? all files
system_u:object_r:httpd_sys_rw_content_t:s0
/var/run/BackupPC(/.*)? all files
system_u:object_r:var_run_t:s0
/var/log/BackupPC(/.*)? all files
system_u:object_r:httpd_log_t:s0
/etc/BackupPC/LOCK all files
system_u:object_r:httpd_lock_t:s0
No mention of /var/lib/BackupPC though. Interesting that the LOCK file is
mentioned here yet is trying to write it to the data folder?
On Wed, 28 Aug 2019 at 17:58, Ray Frush <fr...@rams.colostate.edu> wrote:
>
>
> Our setup is a little different that yours, but this is the SELinux module
> I deploy to my BackupPC server with these steps:
>
> - semodule -r backuppc
> - checkmodule -M -m -o /tmp/backuppc.mod /tmp/backuppc.te
> - semodule_package -o /tmp/backuppc.pp -m /tmp/backuppc.mod
> - semodule -i /tmp/backuppc.pp
>
>
> We also set these SELinux Booleans
>
> - setsebool httpd_read_user_content 1
> - setsebool httpd_use_nfs 1 # our data store is on NFS
>
>
>
> Contents of /tmp/backuppc.te:
>
> module backuppc 1.0;
>
> require {
> type etc_t;
> type var_log_t;
> type net_conf_t;
> type user_tmp_t;
> type httpd_sys_script_t;
> class file { write rename read create unlink open };
> class dir { search read write getattr remove_name open add_name };
> }
>
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t etc_t:dir { write search read open getattr
> add_name remove_name };
> allow httpd_sys_script_t etc_t:file { write rename create unlink };
> allow httpd_sys_script_t var_log_t:dir read;
> allow httpd_sys_script_t var_log_t:file { read open };
> allow httpd_sys_script_t net_conf_t:file { read write open rename create
> unlink };
> allow httpd_sys_script_t user_tmp_t:dir { write search read open getattr
> add_name remove_name };
> allow httpd_sys_script_t user_tmp_t:file { write rename create unlink };
>
>
>
> On Aug 28, 2019, at 09:45, Jamie Burchell <ja...@ib3.uk> wrote:
>
> Hi
>
>
> I’m having trouble with SELinux reporting:
>
>
> avc: denied { write } for pid=15496 comm="BackupPC_Admin" name="LOCK"
> dev="sda1" ino=201443561 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
>
>
> The issue (and supposed answer) is mentioned here:
>
>
> https://lists.fedoraproject.org/pipermail/selinux/2013-March/015287.html
>
>
> I have replaced /var/lib/BackupPC with a symlink to
> /mnt/volume_lon1_01_part1/BackupPC
>
>
> As far as I can tell, the default context for /var/lib/BackupPC is
> “system_u:object_r:var_lib_t:s0” and this is what I have set on
> “/mnt/volume_lon1_01_part1/BackupPC”.
>
>
> So the context appears to be correct, and I’ve run restorecon -R
> /var/lib/BackupPC but the messages still persist.
>
>
> Anybody know how to fix this?
>
>
> I should mention that everything appears to be working fine.
>
>
> Thanks,
> Jamie
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users@lists.sourceforge.net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
>
> _______________________________________________
> BackupPC-users mailing list
> BackupPC-users@lists.sourceforge.net
> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
> Wiki: http://backuppc.wiki.sourceforge.net
> Project: http://backuppc.sourceforge.net/
>
--
Kind regards,
*Jamie*
ib3 Limited
------------------------------
[image: logo]
*Jamie Burchell*
Senior Web Developer
01732 449974
ja...@ib3.uk
*ib3 Limited*
2 Lyons Wharf, Lyons Crescent,
Tonbridge, Kent TN9 1EX
Main 01732 449970
www.ib3.uk
<https://www.facebook.com/ib3co/>
<https://www.linkedin.com/company/263186/> <http://twitter.com/ib3uk>
------------------------------
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of ib3 Limited. If you are not the intended recipient of
this email, you must neither take any action based upon its contents, nor
copy or show it to anyone. Please contact the sender if you believe you
have received this email in error.
*ib3 Limited is a company registered in England. Registered number:
3734612. Registered office: 2 Lyons Wharf, Lyons Crescent, Tonbridge, Kent
TN9 1EX, United Kingdom.*
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
