Leonard Bottleman
2007-05-28 16:38:23 UTC
I have spent a fun couple of hours trying to resolve issues with the CGI
interface to BackupPC and selinux permissions.
I know some of these issues have been discussed here before, but I thought
what I've experienced thus far to see if others have a solution.
The system is running Fedora Core 6, with selinux enabled.
The first hurdle was the well known
Error: Unable to read config.pl or language strings!!
The problem was that the backup directory where the configuration
files are located needed to have the correct permissions for a
cgi script to access.
# chcon -R -t httpd_sys_script_rw_t <path to backup directory>
After fixing this permission issue I reached the next roadblock
of the script being unable to connect to the BackupPC server.
The server was up and running as the backuppc user, and the cgi-script
was being executed as the backuppc user. Checking the system error log
I saw that selinux had denied the script "connectto" access, even though
I had enabled httpd network connections for selinux (and squirrelmail is
able to connect to dovecot, which I assume requires the same permission).
I know this is an selinux issue, and if I disable selinux for just the
BackupPC_Admin script, I can connect:
# chcon -t httpd_unconfined_script_exec_t BackupPC_Admin
In a perfect world I'd like to keep selinux enabled for this script, but
thus far I've not been able to find the steps to grant connect access
for the script to the server. Any thoughts from the more experienced
selinux savvy?
Once connected I was able to start and monitor backups (I'm using tar,
because configuring rsync yielded
File::RsyncP module doesn't exist
I'm a complete Perl neophyte, and would rather not learn yet another
scripting language just to use one tool, and so I switched to tar.
Tar worked fine and once SSH was configured the specified directories
were backed up as expected.
And so the questions for the moment are:
1. Does anyone know what selinux configuration is required to allow
BackupPC_Admin to connect to the server.
2. Does anyone have a solution for the rsync problem (not that I
care whether I use rsync or tar, but I'd like to know what went
wrong)?
Leonard Bottleman
interface to BackupPC and selinux permissions.
I know some of these issues have been discussed here before, but I thought
what I've experienced thus far to see if others have a solution.
The system is running Fedora Core 6, with selinux enabled.
The first hurdle was the well known
Error: Unable to read config.pl or language strings!!
The problem was that the backup directory where the configuration
files are located needed to have the correct permissions for a
cgi script to access.
# chcon -R -t httpd_sys_script_rw_t <path to backup directory>
After fixing this permission issue I reached the next roadblock
of the script being unable to connect to the BackupPC server.
The server was up and running as the backuppc user, and the cgi-script
was being executed as the backuppc user. Checking the system error log
I saw that selinux had denied the script "connectto" access, even though
I had enabled httpd network connections for selinux (and squirrelmail is
able to connect to dovecot, which I assume requires the same permission).
I know this is an selinux issue, and if I disable selinux for just the
BackupPC_Admin script, I can connect:
# chcon -t httpd_unconfined_script_exec_t BackupPC_Admin
In a perfect world I'd like to keep selinux enabled for this script, but
thus far I've not been able to find the steps to grant connect access
for the script to the server. Any thoughts from the more experienced
selinux savvy?
Once connected I was able to start and monitor backups (I'm using tar,
because configuring rsync yielded
File::RsyncP module doesn't exist
I'm a complete Perl neophyte, and would rather not learn yet another
scripting language just to use one tool, and so I switched to tar.
Tar worked fine and once SSH was configured the specified directories
were backed up as expected.
And so the questions for the moment are:
1. Does anyone know what selinux configuration is required to allow
BackupPC_Admin to connect to the server.
2. Does anyone have a solution for the rsync problem (not that I
care whether I use rsync or tar, but I'd like to know what went
wrong)?
Leonard Bottleman