Bug 1154158

Summary: New SELinux policy for bacula doesn't allow running (unconfined) "Run Before Job"
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6CC: alexander.kruppa, a.rogge, bitmage, dossow, dwalsh, halgol60, mgrepl, mmalik, robert.scheck, ssekidde, TommyTheKid
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-261.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 07:09:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2014-10-17 17:09:49 UTC 
Description of problem:
In "/etc/bacula/bacula-dir.conf" you can add a script that needs to be run
before the real backup job is done, e.g.

--- snip ---
JobDefs {
  Name = "CatalogJob"
  Type = Backup
  Client = bacula-fd
  Storage = CatalogFile
  Messages = Standard
  Pool = "Bacula Catalog Daily"
  Priority = 10
  Run Before Job = "/root/bin/bacula-mount.sh"
}
--- snap ---

# ls -lZ /root/bin/bacula-mount.sh 
-rwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 /root/bin/bacula-mount.sh

# cat /root/bin/bacula-mount.sh 
#!/bin/bash

MNT="/backup"

if [ $(grep -c $MNT /proc/mounts) -eq 0 ]; then
  echo "Mounting $MNT for Bacula..."
  mount $MNT

  if [ $(grep -c /backup /proc/mounts) -eq 0 ]; then
    echo "Error: Mounting $MNT failed!"
    exit 1
  else
    echo "Mounting $MNT succeeded!"
  fi
fi
# 

Version-Release number of selected component (if applicable):
bacula-director-common-5.0.0-12.el6.x86_64
bacula-director-sqlite-5.0.0-12.el6.x86_64
selinux-policy-3.7.19-260.el6.noarch
selinux-policy-targeted-3.7.19-260.el6.noarch

How reproducible:
Everytime, see above.

Actual results:
New SELinux policy (since RHEL 6.6 as it seems) for bacula doesn't allow 
running (unconfined) "Run Before Job".

Expected results:
Allow running (unconfined) scripts from bacula as needed.

Additional info:
type=AVC msg=audit(1413497102.674:4794): avc:  denied  { execute } for  pid=28886 comm="bacula-dir" name="bacula-mount.sh" dev=drbd0 ino=2228231 scontext=unconfined_u:system_r:bacula_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1413497102.674:4794): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f3db4001440 a1=7f3dbbc36660 a2=7fff7898cad8 a3=7f3dbbc363e0 items=0 ppid=12785 pid=28886 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=bacula-dir exe=/usr/sbin/bacula-dir.sqlite subj=unconfined_u:system_r:bacula_t:s0 key=(null)
Comment 1 Robert Scheck 2014-10-17 17:15:32 UTC 
Cross-filed cases #01265630 (ourself), #01265635 (customer1), #01265639 
(customer2) on the Red Hat customer portal.
Comment 3 Robert Scheck 2014-10-17 17:22:34 UTC 
If you allow above AVC denied you will simply receive:

type=AVC msg=audit(1413565451.766:10787): avc:  denied  { execute_no_trans } for  pid=5811 comm="bacula-dir" path="/data/root/bin/bacula-mount.sh" dev=drbd0 ino=2228231 scontext=unconfined_u:system_r:bacula_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1413565451.766:10787): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fc8c4002b80 a1=7fc8ce403660 a2=7fff84d62428 a3=3236818240 items=0 ppid=2846 pid=5811 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=522 comm=bacula-dir exe=/usr/sbin/bacula-dir.sqlite subj=unconfined_u:system_r:bacula_t:s0 key=(null)
Comment 4 Simon Sekidde 2014-10-18 18:21:59 UTC 
Robert, 

What does `ls -lZ /data/root/bin/bacula-mount.sh` show?
Comment 5 Simon Sekidde 2014-10-18 18:28:51 UTC 
(In reply to Simon Sekidde from comment #4)
> Robert, 
> 
> What does `ls -lZ /data/root/bin/bacula-mount.sh` show?

Sorry that should have been

  `restorecon -Rv /data/root/bin/bacula-mount.sh`
Comment 6 Robert Scheck 2014-10-18 20:33:52 UTC 
Nothing, because /data/root should have the same labels like /root (in our
case at least, it is on DRBD in this case but we saw the same without DRBD).
Comment 7 Miroslav Grepl 2014-10-20 13:42:19 UTC 
We will need to add a new type

bacula_unconfined_script_t

for these scripts.
Comment 9 Andreas Rogge 2015-01-19 14:14:15 UTC 
Any Idea when this is going to happen? We're really waiting for that, because right now we cannot upgrade to 6.6 due to this issue.
Comment 11 Tommy McNeely 2015-02-18 08:25:01 UTC 
We just hit this same problem (well realized that we hit it back when we patched, bad times).

WORKAROUND:

* Proper Workaround:  Create a local selinux policy using audit2allow -M (using the AVC deny from above.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html


In my case, since I actually put the "script" into bacula's home directory (/var/spool/bacula), the "type" is bacula_spool_t, so I just need the following

```
#============= bacula_t ==============
allow bacula_t bacula_spool_t:file execute;
```



* Improper (easy) workaround: `semodule -d bacula` (which disables the bacula selinux module, but otherwise leaves selinux enabled on the server.
Comment 12 Tommy McNeely 2015-02-18 08:42:27 UTC 
OK, I actually ended up with a bit more "advanced" policy file after my first and secon attempt :) ...


[root@deathstar ~]# cat mybacula.te 

module mybacula 1.0;

require {
	type ssh_exec_t;
	type bacula_exec_t;
	type port_t;
	type bacula_spool_t;
	type automount_var_run_t;
	type bacula_t;
	class tcp_socket name_bind;
	class fifo_file getattr;
	class file { execute execute_no_trans };
}

#============= bacula_t ==============
allow bacula_t automount_var_run_t:fifo_file getattr;
allow bacula_t bacula_exec_t:file execute_no_trans;
allow bacula_t bacula_spool_t:file execute;

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow bacula_t port_t:tcp_socket name_bind;
allow bacula_t ssh_exec_t:file { execute execute_no_trans };


-----------


Now, our "script" executes "ssh" to create a port forward (tunnel) to allow bacula to work over the Internet, so that changes the policy above slightly (adds the ssh_exec_t part). What I mean to say is that once you have "allowed" your script to run, you will need to "allow" anything else it does too.

Here are the "steps" involved (at your own risk of course):

* setenforce 0
* tail -fn 0 /var/log/audit/audit.log | grep bacula > backup-audit.log
* (run a backup that has a pre-script)
* cat backup-audit.log | audit2allow -M mybacula
* REVIEW mybacula.te
* INSTALL: semodule -i mybacula.pp
* TEST: run another backup, ensure you get no more AVC DENIED messages in audit.log
* setenforce 1
Comment 13 Miroslav Grepl 2015-03-02 15:01:12 UTC 
commit 5fef7cd165f44d03892ec7cb21550a724f4052fb
Author: Miroslav Grepl <mgrepl>
Date:   Mon Mar 2 16:00:26 2015 +0100

    Add bacula fixes related to unconfined scripts based on ssekidde patch.
Comment 15 Robert Scheck 2015-04-01 12:19:22 UTC 
When is this going to reach the regular repositories?
Comment 17 errata-xmlrpc 2015-07-22 07:09:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html
Comment 18 Alex Kruppa 2015-08-07 08:44:47 UTC 
(In reply to errata-xmlrpc from comment #17)
> Since the problem described in this bug report should be
> resolved in a recent advisory, it has been closed with a
> resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated
> files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://rhn.redhat.com/errata/RHBA-2015-1375.html

Will there be an selinux update containing the bugfixes with RHEL 7? We discovered same problems appearing in RHEL 7 as well. 

Even bacula_t is not able to write into tmp_t when it is a fifo file to write (makefifo). Reading fifos (getattr) is not possible, too. Refer to 1177051. I am curious why selinux updates containg major bugfixes for bacula are not released for rhel7 as well? 

Thx for help
Comment 19 Miroslav Grepl 2015-08-07 09:15:51 UTC 
(In reply to Alex Kruppa from comment #18)
> (In reply to errata-xmlrpc from comment #17)
> > Since the problem described in this bug report should be
> > resolved in a recent advisory, it has been closed with a
> > resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated
> > files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://rhn.redhat.com/errata/RHBA-2015-1375.html
> 
> Will there be an selinux update containing the bugfixes with RHEL 7? We
> discovered same problems appearing in RHEL 7 as well. 
> 
> Even bacula_t is not able to write into tmp_t when it is a fifo file to
> write (makefifo). Reading fifos (getattr) is not possible, too. Refer to
> 1177051. I am curious why selinux updates containg major bugfixes for bacula
> are not released for rhel7 as well? 
> 
> Thx for help

Yes, it should be a part of RHEL-7.2.
Comment 20 Andreas Rogge 2015-08-08 08:35:55 UTC 
First of all thank you for handling this issue.

However, I have no idea what to do to make this work again. Is there a selinux-type that the script needs?
*Any* kind of documentation would be really nice.

Thank you!
Comment 21 Robert Scheck 2015-08-08 08:42:51 UTC 
I usually use for a bacula script "/root/bin/bacula-mount.sh" this:

  semanage fcontext -a -f 'all files' \
    -t bacula_unconfined_script_exec_t '/root/bin/bacula-mount.sh'
  restorecon -v /root/bin/bacula-mount.sh