[rdiff-backup-users] SELinux preventing rdiff-backup

[Matthew A. Thompson, Contractor, Code 6189]

As some may know, I've been having difficulties with the latest NTFS-3G 
version and rdiff-backup, and that has been taken care of with the 
latest rdiff-backup version (I assume...Fedora hasn't upgraded yet).

However, I seem to be running into a new problem that seems to have 
started around when I started using --no-acls.  It's SELinux which is 
throwing up bajillions of the errors shown below.

Is this due to the --no-acls tag?  Or is there a "chcon" I could do to 
fix it?

Thanks,
Matt


Summary:

SELinux is preventing rdiff-backup from creating a file with a context of
unlabeled_t on a filesystem.

Detailed Description:

SELinux is preventing rdiff-backup from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp 
command to
maintain the context of a file when copying between file systems, "cp 
-a" for
example. Not all file contexts should be maintained between the file 
systems.
For example, a read-only file type like iso9660_t should not be placed 
on a r/w
system. "cp -P" might be a better solution, as this will adopt the 
default file
context for the destination.

Allowing Access:

Use a command like "cp -P" to preserve all permissions except SELinux 
context.

Additional Information:

Source Context                system_u:object_r:unlabeled_t
Target Context                system_u:object_r:fusefs_t
Target Objects                rdiff-backup.tmp.9329 [ filesystem ]
Source                        rdiff-backup
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          munged
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-46.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   filesystem_associate
Host Name                     munged
Platform                      Linux munged
                              2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon 
Feb 23
                              13:00:23 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 04 Mar 2009 07:23:29 AM EST
Last Seen                     Wed 04 Mar 2009 07:23:29 AM EST
Local ID                      0ccf144f-50a1-415c-ab0e-2925423b2efb
Line Numbers

Raw Audit Messages

node=munged type=AVC msg=audit(1236169409.556:2190): avc:  denied  { 
associate } for  pid=23152 comm="rdiff-backup" 
name="rdiff-backup.tmp.9329" dev=sdd1 ino=23236 
scontext=system_u:object_r:unlabeled_t:s0 
tcontext=system_u:object_r:fusefs_t:s0 tclass=filesystem

node=munged type=SYSCALL msg=audit(1236169409.556:2190): arch=c000003e 
syscall=188 success=no exit=-13 a0=bb9bd4 a1=1132834 a2=11eb6e4 a3=21 
items=0 ppid=22261 pid=23152 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=pts5 ses=26 comm="rdiff-backup" 
exe="/usr/bin/python" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



--
Dr Matthew Thompson, NRC Postdoc (Contractor)
Naval Research Laboratory, Code 6189
202-767-2160