Bug 1208117
| Summary: | SELinux policy for bacula doesn't allow writing backup files to NFS/CIFS share | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> | |
| Component: | selinux-policy | Assignee: | Simon Sekidde <ssekidde> | |
| Status: | CLOSED ERRATA | QA Contact: | Stefan Kremen <skremen> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.1 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, robert.scheck, skremen, ssekidde | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-25.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1234410 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:29:42 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1234410 | |||
|
Description
Robert Scheck
2015-04-01 12:48:12 UTC
The same (?) issue for RHEL 6.6 is tracked via bug #1154164 type=AVC msg=audit(1427857503.087:12427): avc: denied { write } for pid=22751 comm="bacula-sd" name="bacula" dev="0:37" ino=76939267 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1427857503.087:12427): avc: denied { add_name } for pid=22751 comm="bacula-sd" name="Tux-Full-0023" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1427857503.087:12427): avc: denied { create } for pid=22751 comm="bacula-sd" name="Tux-Full-0023" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1427857503.087:12427): avc: denied { write } for pid=22751 comm="bacula-sd" path="/backup/Tux/bacula/Tux-Full-0023" dev="0:37" ino=76939313 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1427857503.087:12427): arch=c000003e syscall=2 success=yes exit=7 a0=7ff53c025d50 a1=42 a2=1a0 a3=ffffc000 items=0 ppid=1 pid=22751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bacula-sd" exe="/usr/sbin/bacula-sd" subj=system_u:system_r:bacula_t:s0 key=(null)
type=AVC msg=audit(1427857803.377:12428): avc: denied { write } for pid=32635 comm="bacula-sd" name="bacula" dev="0:37" ino=76939271 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1427857803.377:12428): avc: denied { add_name } for pid=32635 comm="bacula-sd" name="Bacula-Full-0024" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1427857803.377:12428): arch=c000003e syscall=2 success=yes exit=7 a0=7ff53c025d50 a1=42 a2=1a0 a3=7ff54d9fcbc4 items=0 ppid=1 pid=32635 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bacula-sd" exe="/usr/sbin/bacula-sd" subj=system_u:system_r:bacula_t:s0 key=(null)
And I guess bug #1154158 (from RHEL 6.6) will also apply for RHEL 7.x then? This might be not relevant to this (because it might be already addressed
for the not yet available update, but): Since updating to selinux-policy-
3.13.1-23.el7_1.13.noarch we see this via sealert (again?):
type=AVC msg=audit(1439417103.39:2910): avc: denied { write } for pid=41781 comm="bacula-sd" name="Incremental-0023" dev="0:35" ino=34213544 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1439417103.39:2910): arch=x86_64 syscall=open success=yes exit=ENXIO a0=7f1f3c024770 a1=2 a2=1a0 a3=7f1f41cda2d0 items=0 ppid=1 pid=41781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bacula-sd exe=/usr/sbin/bacula-sd subj=system_u:system_r:bacula_t:s0 key=(null)
And aside of this we still would like to see the updated selinux-policy for
RHEL 7.1... ;-)
Robert, This fix exists in the RHEL 7 preliminary test builds under the 'use_nfs_home_dirs' boolean Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html I am not sure how this would be fixed. The booleans that were introduced for RHEL 6 were not introduced by selinux-policy-3.13.1-60.el7.noarch in RHEL 7, but why? RHEL 7.2: $ getsebool -a | grep bacula $ RHEL 6.7 $ getsebool -a | grep bacula bacula_use_nfs --> on bacula_use_samba --> off $ The bacula_t domain is allowed to access CIFS / NFS when following booleans are enabled: * use_nfs_home_dirs * use_samba_home_dirs Right, that works here (while I dislike the different boolean names) - thanks! |