Thursday, April 10, 2014

SELinux and CentOS 6 with Special Guest: BackupPC

I was trying to tighten things back up on the BackupPC after getting it running.  SELinux is a pain - but I like to have it running on all systems.  I had two BackupPC installs - one on a CentOS 5 server and one a CentOS 6 server.  You would think the latter would be the easiest - but not so!  

For the most part, I just used this blog article BackupPC on CentOS 5 (selinux fix) but I had a few issues between the two servers so I'm documenting that.


CentOS 5 didn't have the semodule command.  So...

# yum install selinux*

And then create a source policy module...

# grep httpd /var/log/audit/audit.log | audit2allow -m backuppc > backuppc.te

And then build the policy module...

# grep httpd /var/log/audit/audit.log | audit2allow -M backuppc

And finally, install the module...

# semodule -i backuppc.pp

After that, I turned on SELinux=enforcing at the command line and edited the /etc/selinux/conf to default to enforcing.

# setenforce 1
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

CentOS 6

CentOS 6 also needed to have all of the SELinux tools installed (I think).  However, when I tried the exact same things as above, the semodule command gave an error:

     Tried to link in a non-MLS module with an MLS base

After some searching I found that I needed to run system-config-selinux which is a GUI (no system-config-selinux-tui I could find).

# system-config-selinux

Here, I was expecting to see MLS instead of targeted.  Not sure why, but it was already toggled to the correct setting.  (So why does it think it's MLS?)  So, I checked the box to "Relabel on next reboot" and rebooted.  I was a little afraid of this because it said it could take a long time if you had a large filesystem and this had already used about 23% of 3TB.  It was probably done well under 20 minutes (by the time I tried it again) and it worked!


1 comment:

RAT said...

restorecon -r -v -F /home/myhome/.ssh was also pretty handy!