I've got a bug report[1] for BackupPC where the user is having issues with
AVC denials when browsing hosts.
This is actually from my COPR but it's the same SRPM I use for Fedora.
There are almost 50k downloads and this is the only report of a problem so
I don't think there's a fundamental issue with the package but I would
still like to help them out.
They are getting AVC denials when browsing hosts which seems to cause
BackupPC_Admin to write LOCK files in the subdirectories of
/var/lib/BackupPC/. I can find plenty of LOCK files written in my instance
of BackupPC on Centos 7 (same as the user) but NO AVC denials for me.
Here's a snippit from the bug:
$ sudo tail -f /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1567181425.724:40002): avc: denied { write } for
pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=336086870
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567181425.730:40003): avc: denied { write } for
pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=109977609
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
...
It happens one for every host he backs up so the inodes are different but
the error is the same for all.
Currently the selinux policy built into the package doesn't modify
/var/lib/BackupPC but in my experience it hasn't needed to.
He's already tried restorecon, changed from a symlink to a bind mount (for
the backup root)...
I'm hesitant to modify the the selinux policy when I can reproduce the
problem...
Ideas?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1746598
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
