Automatic laptop backup with NetworkManager (and correct selinux policies ...)

Those days, almost everyone uses a laptop as his primary (work)station : I don't remember when I was using something else than a laptop for both work and home usage. I admit that I'm using what I'll describe in the following sentences for quite some time, but it seems some people I spoke to don't know what can be done around NetworkManager, and because I encountered a (small) issue with that process (because of updated selinux policies), I thought it would be a good time to speak about it.

Let me first discuss a (little) bit about NetworkManager : almost everyone (using CentOS/Fedora or other distributions) knows what it's all about : helping you to quickly switch from one network to another, that network being a wired one, a Wifi hotpot, or even a 3G connection through your 3G usb modem or your smartphone being used as a modem, etc, etc .... That's the "visible" part of NetworkManager.  While some people don't seem to like it, I admit myself that I really appreciate it and I use it on a daily basis for \$work and \$home usage (switching from wired to wireless, and so on). A quick read in the NetworkManager man page shows that you can "script" events based on the actual status of your network interface : basically all executables scripts found by NetworkManager under /etc/NetworkManager/dispatcher.d/ will be executed on network change. When I discovered that (was quite some time ago now ...), I decided that it would be good to launch backup script for my laptop, depending on the network my laptop is connected, and using different profiles. For example, (the "head" of ) a simple script can look like :

#!/bin/bash  
IF=$1  
STATUS=$2

if [[ "\$IF" = "eth0" && "\$STATUS" = "up" ]] ; then
  NET=\$(/sbin/ip -4 route show dev eth0|awk '{print \$1}'|grep -v> default)  
  if [ "\$NET" = "192.168.2.0/24" ] ; then \# and now the rest up to you ....

You've got the idea, so it's now just a matter of writing the whole script. One thing that I like when writing some small scripts is the fact that I can be notified on my laptop when something happens (or doesn't, because of errors). I use also quite often notify-send for that, but because all scripts under dispatcher.d are executed under root, I prefer from there "jumping" to my user account with a "su - $my_user_name -c $my_backup_script.sh".

Of course, my script needs several things to "interact" with my desktop session : the DISPLAY to use and also the dbus-session I currently use (because I also have to use gvfs-mount to automatically mount in my gnome session some remote folders, like , (yeah, don't shoot me for that, not my idea) CIFS shares for \$work).

So that backup script needs some variables like this :

export DISPLAY=":0"  
export DBUS_SESSION_BUS_ADDRESS=\$(cat /proc/\$(pidof nautilus)/environ|tr '\\0' '\\n'|grep DBUS_SESSION_BUS|cut -f2- -d '=')

If I started that blog post, it's not to speak about NetworkManager at first (well, I still thought that some people would benefit of those unknown/unused dispatcher.d scripts ....) but because I encountered an issue with the recent updates to CentOS 6.4 (and to be precise, newer selinux-policy-3.7.19-195.el6_4.3.noarch package). So it was time to dive into that issue , and *yes*, i run selinux everywhere, including on my laptop ...

Long story short : because I use rsync for my backup scripts (why having to reinvent the wheel ? ), I had to enable two selinux booleans :

setsebool -P rsync_client 1  
setsebool -P rsync_export_all_ro 1

But that was still not enough. sealert/audit.log/audit2allow to the rescue (read the Selinux page on the CentOS wiki) and finally I created a custom policy that suits my needs. Here it is :

 module rsync-client.pol 1.0;

 require {  
  type initrc_tmp_t;
  type user_home_t;  
  type rsync_t;  
  class sock_file getattr;  
  class file write;  
  }

#============= rsync_t ==============  
  allow rsync_t initrc_tmp_t:file write;
 allow rsync_t user_home_t:sock_file getattr;

Now, everytime I connect my laptop to a (recognized) network, my laptop auto-backups itself :