Re: [BackupPC-users] Having Several Issues
On Friday 26 June 2009 01:04:50 Admiral Beotch wrote: I haven't finished reading the selinux/apache document, but while testing out the restore process with my previous chcon statement, I realized backuppc was unable to write some restore files to the TOPDIR filesystem so I changed the context again to: chcon -R -t httpd_sys_script_rw_t /BackupData and it can now prefectly restore files as expected. I love this software! I'll post an update later after I've had a chance to fully dig into the selinux/apache document. Just a thought going through my head... Since httpd is running as backuppc and this is a dedicated backup server, I think I'm gonna be ok with this r/w context on this mounted file system... Previously I've installed BackupPC from source and sorted out the SELinux problems by hand. Now I'm about to install an backup BackupPC server and want to use the EPEL rpm if possible on Centos-5.3. It would be really helpful if you could summarise the SELinux changes you made to get it working. Tony -- Dept. of Comp. Sci. University of Limerick. -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Tony Molloy wrote: On Friday 26 June 2009 01:04:50 Admiral Beotch wrote: I haven't finished reading the selinux/apache document, but while testing out the restore process with my previous chcon statement, I realized backuppc was unable to write some restore files to the TOPDIR filesystem so I changed the context again to: chcon -R -t httpd_sys_script_rw_t /BackupData and it can now prefectly restore files as expected. I love this software! I'll post an update later after I've had a chance to fully dig into the selinux/apache document. Just a thought going through my head... Since httpd is running as backuppc and this is a dedicated backup server, I think I'm gonna be ok with this r/w context on this mounted file system... Previously I've installed BackupPC from source and sorted out the SELinux problems by hand. Now I'm about to install an backup BackupPC server and want to use the EPEL rpm if possible on Centos-5.3. It would be really helpful if you could summarise the SELinux changes you made to get it working. Also, did you have the mounted drive in place when the RPM was installed? If not, the RPM might have configured things by itself. -- Les Mikesell lesmikes...@gmail.com -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
On Friday 26 June 2009 13:28:56 Les Mikesell wrote: Tony Molloy wrote: On Friday 26 June 2009 01:04:50 Admiral Beotch wrote: I haven't finished reading the selinux/apache document, but while testing out the restore process with my previous chcon statement, I realized backuppc was unable to write some restore files to the TOPDIR filesystem so I changed the context again to: chcon -R -t httpd_sys_script_rw_t /BackupData and it can now prefectly restore files as expected. I love this software! I'll post an update later after I've had a chance to fully dig into the selinux/apache document. Just a thought going through my head... Since httpd is running as backuppc and this is a dedicated backup server, I think I'm gonna be ok with this r/w context on this mounted file system... Previously I've installed BackupPC from source and sorted out the SELinux problems by hand. Now I'm about to install an backup BackupPC server and want to use the EPEL rpm if possible on Centos-5.3. It would be really helpful if you could summarise the SELinux changes you made to get it working. Also, did you have the mounted drive in place when the RPM was installed? If not, the RPM might have configured things by itself. No, it doesn't. I did a test install of the rpm a few days ago and got a lot of SELinux problems. Tony -- Dept. of Comp. Sci. University of Limerick. -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Admiral Beotch wrote:
Les,
Here's my hasty notes from my install using CentOS 5.3, epel's current
backuppc. Excuse the mess.. I just ordered a new dedicated backup server
and will be re-installing again from scratch to validate and clean up my
procedure. I'll repost in a nicer format when it's all done.
Admrial Beotch
=
Assumes core install with all updates...
Assumes large drive mounted to file system at /BackupData
yum install backuppc httpd
edit /etc/BackupPC/config.pl
change $Conf{CgiAdminUsers} to 'admin'
change $Conf{TopDir} to '/BackupData/'
#allows httpd process to r/w data partition
chcon -R -t httpd_sys_script_rw_t /BackupData
edit /etc/httpd/conf/httpd.conf
change httpd User from apache to backuppc
#Move rpm installed TOPDIR directories to data mount
cd /var/lib/BackupData/
mv cpool/ pc/ pool/ trash/ /BackupData
htpasswd -c /etc/BackupPC/apache.users admin
edit /etc/BackupPC/hosts and add host names
edit /etc/httpd/conf.d/BackupPC.conf
change 'allow' to management host ip
chkconfig --levels 345 backuppc on
chkconfig --levels 345 httpd on
#login as backuppc and generate passwordless ssh keys
su - -s /bin/bash backuppc
ssh-keygen
copy public key to all computers being backed up (to root account).
contents of id_rsa.pub goes into /root/.ssh/authorized_keys on each host
to be backed up.
What I'm wondering is, if you had mounted your drive on
/var/lib/backuppc before the yum install (or had set it up during the
Centos install) would any of the other steps have been necessary?
Also, only the latest version of backuppc allows $Conf{TopDir} to be
changed after the initial configuration (done before the RPM was built),
so I'm surprised you didn't follow the directions for a mount or soft
link at /var/lib/backuppc that should be somewhere on the wiki.
--
Les Mikesell
lesmikes...@gmail.com
--
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Admiral Beotch wrote: What I'm wondering is, if you had mounted your drive on /var/lib/backuppc before the yum install (or had set it up during the Centos install) would any of the other steps have been necessary? Good point. I will test this when my new hardware gets here... I'm going to guess that the chcon would still have been necessary because the default SELinux policy probably does not expect httpd_t to have so much access to a file system. But we'll give it a shot. If it doesn't, you should report it to the packager. RPMs are supposed to set that stuff up so it works. I normally disable SELinux to avoid surprises anyway though, but most of my boxes are pretty well firewalled. -- Les Mikesell lesmikes...@gmail.com -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Hi, On Fri, Jun 26, 2009 at 13:07, Les Mikeselllesmikes...@gmail.com wrote: Admiral Beotch wrote: What I'm wondering is, if you had mounted your drive on /var/lib/backuppc before the yum install (or had set it up during the Centos install) would any of the other steps have been necessary? I'm going to guess that the chcon would still have been necessary because the default SELinux policy probably does not expect httpd_t to have so much access to a file system. But we'll give it a shot. If it doesn't, you should report it to the packager. RPMs are supposed to set that stuff up so it works. I normally disable SELinux to avoid surprises anyway though, but most of my boxes are pretty well firewalled. I thought I would give some feedback here... I am running BackupPC 3.1.0-5 built from Fedora SRPMs (should be the same as EPEL) in a CentOS 5.3 machine, with SELinux enabled, in enforced mode, with targeted policy. I have the BackupPC volume mounted in /var/lib/BackupPC (default path), I mounted it *before* installing the RPM. I have had *no* issues with SELinux so far, and I'm running it for a couple of weeks now. The RPM includes a file named /usr/share/selinux/packages/BackupPC/BackupPC.pp, which I believe will implement the SELinux policies need for BackupPC operation. I believe it will do so considering the labels that are applied by default in /var/lib/BackupPC, and if you decide to mount your repository elsewhere (like /BackupData) it will only give you trouble... Especially if using SELinux, I would advise you to try to keep your backups under /var/lib/BackupPC, and also to mount the backup drive at that path before installing the RPM. HTH, Filipe -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Once I get it all figured out, I'll definitely send the information off to the packager. Again, excellent catch on mounting the disk to the default TOPDIR before installing the rpm. I cant wait to try that in a couple days. I dont want to fork this thread, but I have a strong stance on this issue and I see it getting ignored a lot on many forums... SELinux is an awesome security framework and should never be disabled. It's like a firewall for processes. One wouldn't disable a firewall because it kept an required application from working, you'd figure out how to unblock the traffic. The same should go for SELinux. If a service or account gets compromised or abused, SELinux will keep it sandboxed so it can't affect other parts of the system. On Fri, Jun 26, 2009 at 10:07, Les Mikesell lesmikes...@gmail.com wrote: If it doesn't, you should report it to the packager. RPMs are supposed to set that stuff up so it works. I normally disable SELinux to avoid surprises anyway though, but most of my boxes are pretty well firewalled. -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Admiral Beotch wrote: Once I get it all figured out, I'll definitely send the information off to the packager. Again, excellent catch on mounting the disk to the default TOPDIR before installing the rpm. I cant wait to try that in a couple days. I dont want to fork this thread, but I have a strong stance on this issue and I see it getting ignored a lot on many forums... SELinux is an awesome security framework and should never be disabled. It's like a firewall for processes. One wouldn't disable a firewall because it kept an required application from working, you'd figure out how to unblock the traffic. The same should go for SELinux. If a service or account gets compromised or abused, SELinux will keep it sandboxed so it can't affect other parts of the system. And my stance is the opposite. The standard unix security model wasn't broken to begin with. SELinux adds another layer that is only necessary if you got something wrong in the first place. Now, if you can't get the simple, easy to understand thing right, what are the odds that you'll do better with one that is so complicated that even the distribution developers have spent years on and still haven't perfected? If you have time to learn and tune both models perfectly, then they shouldn't hurt anything, but so far I've always had something better to do and considered it more productive to focus on the simple model. -- Les Mikesell lesmikes...@gmail.com -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Hi,
Admiral Beotch wrote on 2009-06-26 09:41:51 -0700 [Re: [BackupPC-users] Having
Several Issues]:
On Fri, Jun 26, 2009 at 09:09, Les Mikesell lesmikes...@gmail.com wrote:
[...]
...so I'm surprised you didn't follow the directions for a mount or soft
link at /var/lib/backuppc that should be somewhere on the wiki.
You're suprised I didnt follow directions? Well, that makes one of us. 8D
you're entitled to not being surprised by not having followed directions, but
you're not exempted from the consequences.
Changing TopDir like you did does not work for versions prior to 3.2.0beta0,
unless the package contains an appropriate patch. I don't know if your package
does, but if it doesn't, pooling will not work, and you'll have large amounts
of errors BackupPC_link got error XXX when calling MakeFileLink... in your
log files. As I read the code, BackupPC does not in fact prevent this at
startup, where it checks whether $Topdir/pc and $Topdir/cpool are on the same
file system. BackupPC_link uses CPoolDir. This is supposed to be the same, but
prior to 3.2.0beta0, CPoolDir will incorrectly be set to the value
$Topdir/cpool had *before* $Conf{TopDir} was changed in the config file.
So, keep TopDir where the package puts it, as you've already decided to do for
SELinux reasons anyway.
Regards,
Holger
--
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
I fixed my SELinux problem by changing the context of the mounted partition that holds TOPDIR... I can't say for certain that I got the context 100% accurate, but it seems to be a secure choice given how the httpd process is trying to interact with that part of the file system. The command that fixed everything was: chcon -R -t httpd_log_t /backup drive mount point/ Now I am about to see all my host logs and browse their backups while keeping selinux enabled. I hope this helps someone else experiencing the same problem. Admiral Beotch -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Admiral Beotch wrote: It sounds like this might be helpful for me: You can execute the following command as root to relabel your computer system: touch /.autorelabel; reboot As an aside, you can get the same effect, without the reboot with restorecon -R /. Using restorecon -Rv / will give verbose output. I guess I'll give it a shot and see what happens... Does anyone want to weigh in on whether I should try touch /.autorelabel; touch /BackupData/.autorelabel; reboot since the file system in question is mounted to /BackupData, not '/' ? Don't bother. As far as I recall, only the existence of /.autorelabel is tested (much like /forcefsck). Chris -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Admiral Beotch wrote: I fixed my SELinux problem by changing the context of the mounted partition that holds TOPDIR... I can't say for certain that I got the context 100% accurate, but it seems to be a secure choice given how the httpd process is trying to interact with that part of the file system. The command that fixed everything was: chcon -R -t httpd_log_t /backup drive mount point/ httpd_sys_content_t might be a more secure choice, as SELinux might give Apache permissions to write httpd_log_t. But I'm pretty rusty on the details. Also, explicitly setting the context is fine for a temporary solution, but if restorecon is ever run, the changes you made might not stick. Now I am about to see all my host logs and browse their backups while keeping selinux enabled. About, or able? I hope this helps someone else experiencing the same problem. Indeed. In any case, http://docs.fedoraproject.org/selinux-apache-fc3/ is a good read for securing Apache with SELinux. Admiral Beotch Chris -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Thanks for the tips Chris! The selinux/apache link looks very interesting! On Thu, Jun 25, 2009 at 12:36, Chris Robertson crobert...@gci.net wrote: Admiral Beotch wrote: I fixed my SELinux problem by changing the context of the mounted partition that holds TOPDIR... I can't say for certain that I got the context 100% accurate, but it seems to be a secure choice given how the httpd process is trying to interact with that part of the file system. The command that fixed everything was: chcon -R -t httpd_log_t /backup drive mount point/ httpd_sys_content_t might be a more secure choice, as SELinux might give Apache permissions to write httpd_log_t. But I'm pretty rusty on the details. Also, explicitly setting the context is fine for a temporary solution, but if restorecon is ever run, the changes you made might not stick. Now I am about to see all my host logs and browse their backups while keeping selinux enabled. About, or able? I hope this helps someone else experiencing the same problem. Indeed. In any case, http://docs.fedoraproject.org/selinux-apache-fc3/ is a good read for securing Apache with SELinux. Admiral Beotch Chris -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/ -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
I haven't finished reading the selinux/apache document, but while testing out the restore process with my previous chcon statement, I realized backuppc was unable to write some restore files to the TOPDIR filesystem so I changed the context again to: chcon -R -t httpd_sys_script_rw_t /BackupData and it can now prefectly restore files as expected. I love this software! I'll post an update later after I've had a chance to fully dig into the selinux/apache document. Just a thought going through my head... Since httpd is running as backuppc and this is a dedicated backup server, I think I'm gonna be ok with this r/w context on this mounted file system... -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
[BackupPC-users] Having Several Issues
I recently installed BackupPC (BackupPC-3.1.0-3.el5) on a CentOS 5.3 server from the epel repo. It appears that backups are occurring but I am unable to view host logs or browse backups. I can see the data being collected into the TOPDIR/pc directories, but I the statistics indicate there are no successful backups and I get the following errors when I try and view logs or browse backups: Error: Backup number for host fw does not exist. and Can't open log file I'm not sure if this is related, but under the TOPDIR/pc/host/ directory, the only subdirectory there is listed as 'f%2f'. Under that, each subdirectory are prefixed with 'f' [r...@localhost 1]# tree -L 2 . |-- attrib |-- backupInfo `-- f%2f |-- attrib |-- fbackup |-- fbin |-- fboot |-- fdev |-- fetc |-- fhome Under the host summary page, I have this information: - This status was generated at 6/24 16:02. - Pool file system was recently at 78% (6/24 16:01), today's max is 79% (6/24 11:31) and yesterday's max was 79%. Hosts with good Backups There are 0 hosts that have been backed up, for a total of: - 0 full backups of total size 0.00GB (prior to pooling and compression), - 0 incr backups of total size 0.00GB (prior to pooling and compression). Here's the output of the server logfile: 2009-06-24 01:00:01 Running 2 BackupPC_nightly jobs from 0..15 (out of 0..15) 2009-06-24 01:00:01 Running BackupPC_nightly -m 0 127 (pid=27004) 2009-06-24 01:00:01 Running BackupPC_nightly 128 255 (pid=27005) 2009-06-24 01:00:01 Next wakeup is 2009-06-24 02:00:00 2009-06-24 01:22:24 BackupPC_nightly now running BackupPC_sendEmail 2009-06-24 01:22:24 Finished admin1 (BackupPC_nightly 128 255) 2009-06-24 01:22:28 Finished admin (BackupPC_nightly -m 0 127) 2009-06-24 01:22:28 Pool nightly clean removed 0 files of size 0.00GB 2009-06-24 01:22:28 Pool is 0.00GB, 0 files (0 repeated, 0 max chain, 0 max links), 1 directories 2009-06-24 01:22:28 Cpool nightly clean removed 0 files of size 0.00GB 2009-06-24 01:22:28 Cpool is 33.91GB, 686322 files (32 repeated, 2 max chain, 1511 max links), 4369 directories 2009-06-24 02:00:00 Next wakeup is 2009-06-24 03:00:00 2009-06-24 02:36:41 Finished full backup on host1 2009-06-24 02:36:41 Running BackupPC_link host1 (pid=27275) 2009-06-24 02:40:11 Finished host1 (BackupPC_link host1) 2009-06-24 03:00:01 Next wakeup is 2009-06-24 04:00:00 ... 2009-06-24 10:00:00 Next wakeup is 2009-06-24 11:00:00 2009-06-24 10:00:01 Started incr backup on host2 (pid=785, share=/) 2009-06-24 10:00:01 Started incr backup on fw (pid=786, share=/) 2009-06-24 10:00:01 Started incr backup on host1 (pid=787, share=/) 2009-06-24 11:00:00 Next wakeup is 2009-06-24 12:00:00 2009-06-24 11:15:01 Finished incr backup on host1 2009-06-24 11:15:01 Running BackupPC_link host1 (pid=978) 2009-06-24 11:17:13 Finished host1 (BackupPC_link host1) 2009-06-24 11:33:35 Finished incr backup on fw 2009-06-24 11:33:36 Running BackupPC_link fw (pid=1059) 2009-06-24 11:35:57 Finished fw (BackupPC_link fw) 2009-06-24 11:41:21 Finished incr backup on host2 2009-06-24 11:41:21 Running BackupPC_link host2 (pid=1073) 2009-06-24 11:41:56 Finished host2 (BackupPC_link host2) 2009-06-24 12:00:00 Next wakeup is 2009-06-24 13:00:00 Any ideas what might be causing my issues? Thanks in advance! -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Admiral Beotch wrote: I recently installed BackupPC (BackupPC-3.1.0-3.el5) on a CentOS 5.3 server from the epel repo. It appears that backups are occurring but I am unable to view host logs or browse backups. I can see the data being collected into the TOPDIR/pc directories, but I the statistics indicate there are no successful backups and I get the following errors when I try and view logs or browse backups: Error: Backup number for host fw does not exist. and Can't open log file Is SELinux enabled? Or some other reason the web browser can't access the backuppc files? -- Les Mikesell lesmikes...@gmail.com -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Admiral Beotch wrote: I recently installed BackupPC (BackupPC-3.1.0-3.el5) on a CentOS 5.3 server from the epel repo. It appears that backups are occurring but I am unable to view host logs or browse backups. I can see the data being collected into the TOPDIR/pc directories, but I the statistics indicate there are no successful backups and I get the following errors when I try and view logs or browse backups: Error: Backup number for host fw does not exist. and Can't open log file Does the log file in question exist? I'm not sure if this is related, but under the TOPDIR/pc/host/ directory, the only subdirectory there is listed as 'f%2f'. Under that, each subdirectory are prefixed with 'f' [r...@localhost 1]# tree -L 2 . |-- attrib |-- backupInfo `-- f%2f |-- attrib |-- fbackup |-- fbin |-- fboot |-- fdev |-- fetc |-- fhome Are you SURE that's at $TOPDIR/pc/host/? That directory structure should be in a numbered directory (corresponding to the backup number), such as $TOPDIR/pc/host/14/. Judging by the prompt, you are in a numbered (1) sub-directory. If that's the case, this directory listing is normal, and we are interested in the REAL contents of $TOPDIR/pc/host/ (including permissions). Under the host summary page, I have this information: * This status was generated at 6/24 16:02. * Pool file system was recently at 78% (6/24 16:01), today's max is 79% (6/24 11:31) and yesterday's max was 79%. Hosts with good Backups There are 0 hosts that have been backed up, for a total of: * 0 full backups of total size 0.00GB (prior to pooling and compression), * 0 incr backups of total size 0.00GB (prior to pooling and compression). Here's the output of the server logfile: 2009-06-24 01:00:01 Running 2 BackupPC_nightly jobs from 0..15 (out of 0..15) 2009-06-24 01:00:01 Running BackupPC_nightly -m 0 127 (pid=27004) 2009-06-24 01:00:01 Running BackupPC_nightly 128 255 (pid=27005) 2009-06-24 01:00:01 Next wakeup is 2009-06-24 02:00:00 2009-06-24 01:22:24 BackupPC_nightly now running BackupPC_sendEmail 2009-06-24 01:22:24 Finished admin1 (BackupPC_nightly 128 255) 2009-06-24 01:22:28 Finished admin (BackupPC_nightly -m 0 127) 2009-06-24 01:22:28 Pool nightly clean removed 0 files of size 0.00GB 2009-06-24 01:22:28 Pool is 0.00GB, 0 files (0 repeated, 0 max chain, 0 max links), 1 directories 2009-06-24 01:22:28 Cpool nightly clean removed 0 files of size 0.00GB 2009-06-24 01:22:28 Cpool is 33.91GB, 686322 files (32 repeated, 2 max chain, 1511 max links), 4369 directories 2009-06-24 02:00:00 Next wakeup is 2009-06-24 03:00:00 2009-06-24 02:36:41 Finished full backup on host1 2009-06-24 02:36:41 Running BackupPC_link host1 (pid=27275) 2009-06-24 02:40:11 Finished host1 (BackupPC_link host1) 2009-06-24 03:00:01 Next wakeup is 2009-06-24 04:00:00 ... 2009-06-24 10:00:00 Next wakeup is 2009-06-24 11:00:00 2009-06-24 10:00:01 Started incr backup on host2 (pid=785, share=/) 2009-06-24 10:00:01 Started incr backup on fw (pid=786, share=/) 2009-06-24 10:00:01 Started incr backup on host1 (pid=787, share=/) 2009-06-24 11:00:00 Next wakeup is 2009-06-24 12:00:00 2009-06-24 11:15:01 Finished incr backup on host1 2009-06-24 11:15:01 Running BackupPC_link host1 (pid=978) 2009-06-24 11:17:13 Finished host1 (BackupPC_link host1) 2009-06-24 11:33:35 Finished incr backup on fw 2009-06-24 11:33:36 Running BackupPC_link fw (pid=1059) 2009-06-24 11:35:57 Finished fw (BackupPC_link fw) 2009-06-24 11:41:21 Finished incr backup on host2 2009-06-24 11:41:21 Running BackupPC_link host2 (pid=1073) 2009-06-24 11:41:56 Finished host2 (BackupPC_link host2) 2009-06-24 12:00:00 Next wakeup is 2009-06-24 13:00:00 Any ideas what might be causing my issues? I'd guess either permissions or SELinux. What's the output of getenforce? Thanks in advance! Chris -- ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
Here is the output of the requested commands. The -Z shows the selinux
contexts...
[r...@localhost fw]# pwd
/BackupData/pc/fw
[r...@localhost fw]# getenforce
Enforcing
[r...@localhost fw]# ls -la -Z
drwxr-x--- backuppc backuppc root:object_r:var_lib_t .
drwxr-x--- backuppc root system_u:object_r:var_lib_t ..
drwxr-x--- backuppc backuppc root:object_r:var_lib_t 0
drwxr-x--- backuppc backuppc root:object_r:var_lib_t 1
-rw-r- backuppc backuppc root:object_r:var_lib_t backups
-rw-r- backuppc backuppc root:object_r:var_lib_t backups.old
-rw-r- backuppc backuppc root:object_r:var_lib_t LOCK
-rw-r- backuppc backuppc root:object_r:var_lib_t LOG.062009
-rw-r- backuppc backuppc root:object_r:var_lib_t XferLOG.0.z
-rw-r- backuppc backuppc root:object_r:var_lib_t XferLOG.1.z
[r...@localhost fw]#
--
If it turns out to be a selinux issue (which by now it does appear to be),
I'd rather not disable selinux, but rather debug the context issues...
I just found some selinux errors in /var/log/messages:
Jun 24 14:46:21 localhost setroubleshoot: SELinux is preventing access to
files with the label, file_t. For complete SELinux messages. run sealert -l
0de6d349-55f3-4ae2-aa9b-cfa3228e9c32
Here is the output of the sealert command:
sealert -l 0de6d349-55f3-4ae2-aa9b-cfa3228e9c32
Summary:
SELinux is preventing access to files with the label, file_t.
Detailed Description:
SELinux permission checks on files labeled file_t are being denied. file_t
is
the context the SELinux kernel gives to files that do not have a label.
This
indicates a serious labeling problem. No files on an SELinux box should
ever be
labeled file_t. If you have just added a new disk drive to the system you
can
relabel it using the restorecon command. Otherwise you should relabel the
entire
files system.
Allowing Access:
You can execute the following command as root to relabel your computer
system:
touch /.autorelabel; reboot
Additional Information:
Source Contextroot:system_r:httpd_t
Target Contextsystem_u:object_r:file_t
Target Objects/ [ dir ]
Sourceperl5.8.8
Source Path /usr/bin/perl5.8.8
Port Unknown
Host dumbo
Source RPM Packages perl-5.8.8-18.el5_3.1
Target RPM Packages filesystem-2.4.0-2.el5.centos
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name file
Host Name localhost
Platform Linux localhost 2.6.18-128.1.14.el5 #1 SMP
Wed Jun 17
06:40:54 EDT 2009 i686 i686
Alert Count 579
First SeenSun Jun 21 19:35:32 2009
Last Seen Wed Jun 24 16:31:07 2009
Local ID 0de6d349-55f3-4ae2-aa9b-cfa3228e9c32
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1245886267.914:1245): avc: denied {
search } for pid=1898 comm=perl5.8.8 name=/ dev=dm-4 ino=2
scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
host=localhost type=SYSCALL msg=audit(1245886267.914:1245): arch=4003
syscall=195 success=no exit=-13 a0=8bd37f8 a1=8a6d0c8 a2=aa4ff4 a3=8bd37f8
items=0 ppid=23678 pid=1898 auid=0 uid=101 gid=48 euid=101 suid=101
fsuid=101 egid=48 sgid=48 fsgid=48 tty=(none) ses=28 comm=perl5.8.8
exe=/usr/bin/perl5.8.8 subj=root:system_r:httpd_t:s0 key=(null)
It sounds like this might be helpful for me:
You can execute the following command as root to relabel your computer
system:
touch /.autorelabel; reboot
I guess I'll give it a shot and see what happens... Does anyone want to
weigh in on whether I should try touch /.autorelabel; touch
/BackupData/.autorelabel; reboot since the file system in question is
mounted to /BackupData, not '/' ?
[r...@localhost fw]# mount
...
/dev/mapper/VolGroup01-LogVol03 on /BackupData type ext3 (rw)
--
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Having Several Issues
After having re-labeled the drives... I'm not getting this from selinux
I'm getting closer and I think chcon is going to be what's need to change
the context of all the files on the drive... Off to work now so I'll give it
another go tomorrow morning.
[r...@localhost ~]# sealert -l b6efc218-d030-40f7-b393-10050c7036f5
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied.
These
files/directories have the default label on them. This can indicate a
labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The
default
label is for files/directories which do not have a label on a parent
directory.
So if you create a new directory in / you might legitimately get this
label.
Allowing Access:
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: touch /.autorelabel; reboot
Additional Information:
Source Contextsystem_u:system_r:httpd_t
Target Contextsystem_u:object_r:default_t
Target Objects/ [ dir ]
Sourceperl5.8.8
Source Path /usr/bin/perl5.8.8
Port Unknown
Host localhost
Source RPM Packages perl-5.8.8-18.el5_3.1
Target RPM Packages filesystem-2.4.0-2.el5.centos
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name default
Host Name localhost
Platform Linux localhost 2.6.18-128.1.14.el5 #1 SMP
Wed Jun 17
06:40:54 EDT 2009 i686 i686
Alert Count 24
First SeenWed Jun 24 20:33:39 2009
Last Seen Wed Jun 24 20:33:55 2009
Local ID b6efc218-d030-40f7-b393-10050c7036f5
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1245900835.372:35): avc: denied {
search } for pid=3040 comm=perl5.8.8 name=/ dev=dm-4 ino=2
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir
host=localhost type=SYSCALL msg=audit(1245900835.372:35): arch=4003
syscall=195 success=no exit=-13 a0=97a27f0 a1=963c0c8 a2=aa4ff4 a3=97a27f0
items=0 ppid=2765 pid=3040 auid=4294967295 uid=101 gid=48 euid=101 suid=101
fsuid=101 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm=perl5.8.8 exe=/usr/bin/perl5.8.8 subj=system_u:system_r:httpd_t:s0
key=(null)
--
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
