Bug 1030489

Summary: bacula daemons run as init_t
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1063890 (view as bug list) Environment:
Last Closed: 2014-06-13 12:47:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 877026    
Bug Blocks: 848829    

Description Milos Malik 2013-11-14 14:39:46 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
bacula-client-5.2.13-13.el7.x86_64
bacula-common-5.2.13-13.el7.x86_64
bacula-console-5.2.13-13.el7.x86_64
bacula-console-bat-5.2.13-13.el7.x86_64
bacula-devel-5.2.13-13.el7.x86_64
bacula-director-5.2.13-13.el7.x86_64
bacula-libs-5.2.13-13.el7.x86_64
bacula-libs-sql-5.2.13-13.el7.x86_64
bacula-storage-5.2.13-13.el7.x86_64
bacula-traymonitor-5.2.13-13.el7.x86_64
selinux-policy-3.12.1-99.el7.noarch
selinux-policy-devel-3.12.1-99.el7.noarch
selinux-policy-doc-3.12.1-99.el7.noarch
selinux-policy-minimum-3.12.1-99.el7.noarch
selinux-policy-mls-3.12.1-99.el7.noarch
selinux-policy-targeted-3.12.1-99.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service bacula-dir start
Redirecting to /bin/systemctl start  bacula-dir.service
# service bacula-fd start
Redirecting to /bin/systemctl start  bacula-fd.service
# service bacula-sd start
Redirecting to /bin/systemctl start  bacula-sd.service
# ps -efZ | grep bacula
system_u:system_r:init_t:s0     bacula   12398     1  0 15:33 ?        00:00:00 /usr/sbin/bacula-dir -f -c /etc/bacula/bacula-dir.conf -u bacula -g bacula
system_u:system_r:init_t:s0     root     12412     1  0 15:33 ?        00:00:00 /usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf -u root -g root
system_u:system_r:init_t:s0     bacula   12427     1  0 15:33 ?        00:00:00 /usr/sbin/bacula-sd -f -c /etc/bacula/bacula-sd.conf -u bacula -g tape
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 12432 2470  0 15:33 pts/0 00:00:00 grep --color=auto bacula
#

Actual results:
 * the daemons run as init_t

Expected results:
 * the daemons run in a dedicated SELinux domain
Comment 2 Milos Malik 2014-02-04 09:38:31 UTC 
It seems that ports 9101-9103 are used by default:

# grep -Ri port /etc/bacula/
/etc/bacula/bacula-sd.conf:  SDPort = 9103                  # Director's port      
/etc/bacula/bacula-sd.conf:# Devices supported by this Storage daemon
/etc/bacula/bacula-dir.conf:  DIRport = 9101                # where we listen for UA connections
/etc/bacula/bacula-dir.conf:  FDPort = 9102
/etc/bacula/bacula-dir.conf:#  FDPort = 9102
/etc/bacula/bacula-dir.conf:  SDPort = 9103
/etc/bacula/bacula-dir.conf:#  SDPort = 9103
/etc/bacula/bacula-dir.conf:#  SDPort = 9103
/etc/bacula/bacula-dir.conf:#  SDPort = 9103
/etc/bacula/bacula-dir.conf:# dbdriver = "dbi:postgresql"; dbaddress = 127.0.0.1; dbport =  
/etc/bacula/bacula-fd.conf:  FDport = 9102                  # where we listen for the director
/etc/bacula/tray-monitor.conf:  FDPort = 9102
/etc/bacula/tray-monitor.conf:  SDPort = 9103
/etc/bacula/tray-monitor.conf:  DIRport = 9101
/etc/bacula/bconsole.conf:  DIRport = 9101
/etc/bacula/bat.conf:  DIRport = 9101
#
Comment 4 Lukas Vrabec 2014-02-06 15:49:56 UTC 
commit 713db6eff64ead13143867883a6a6dc8cd9585cd
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 6 15:55:21 2014 +0100

    Add to bacula capability setgid and setuid and allow to bind to bacula ports


commit b01eb1f7dcf4b32c53de46e78b985fa27d4ff1bc
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 6 16:47:09 2014 +0100

    Added labels for bacula ports
Comment 7 Ludek Smid 2014-06-13 12:47:59 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.