Bug 1226721

Summary: bacula-fd fails restoring files due to insufficient permissions
Product: [Fedora] Fedora Reporter: Christian Schwarzgruber <c.schwarzgruber.cs>
Component: baculaAssignee: Simone Caronni <negativo17>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 22CC: andreas, gwync, negativo17, phracek, ssekidde, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: bacula-7.2.0-3.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-07 19:56:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Bacula-fd journaltctl debug output. none

Description Christian Schwarzgruber 2015-05-31 21:48:55 UTC 
Created attachment 1033001 [details]
Bacula-fd journaltctl debug output.

Description of problem: Bacula restore job fails as bacula-fd has insufficient permissions to create files/folders etc.


Version-Release number of selected component (if applicable): 
bacula-client-5.2.13-18.fc20.x86_64 -> Needed this version as on the server runs version 5 too.

How reproducible:
Always reproducible as long as bacula-fd gets started through systemd.


Actual results:
Bacula restore job fails. 

Expected results:
Restore job does not fail.

Additional info:
When I start bacula-fd manually
$ sudo /usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd -u root -g root
restoring of the files work.

Also I want to point out that backups are ending without any error.
Comment 1 Christian Schwarzgruber 2015-05-31 22:25:56 UTC 
Update:

Seems like SELinux problem. When setting SELinux policy to 'permissive' restoring of the files work.
Comment 2 Christian Schwarzgruber 2015-05-31 22:55:23 UTC 
One more update:

Ok it turned out that the backup jobs are having also some permission problems.
Again, setting SELinux policy to permissive let the errors disappear.

Installed SELinux is:
selinux-policy-3.13.1-126.fc22.noarch

Here is the output of the failed files to backup, with SELinux policy set to enforce,
all three files are socket files.

```
Could not stat "/var/lib/gssproxy/default.sock": ERR=Permission denied
Could not stat "/home/cschwarzgruber/.gnupg/S.gpg-agent": ERR=Permission denied
Could not stat "/home/cschwarzgruber/.rdm": ERR=Permission denied
```
Comment 3 Simon Sekidde 2015-08-05 22:37:28 UTC 
For the SELinux portion, please provide the AVCs while in permissive mode 

 # ausearch -i -m avc > ausearch.out
Comment 4 Simone Caronni 2015-12-11 11:56:24 UTC 
Hello, is this still happening on Fedora 22 with the package version you specified and the latest policy?

Can you also have a try with the latest Bacula update and policy on Fedora 23?

https://bodhi.fedoraproject.org/updates/FEDORA-2015-a455e496d4

Thanks,
--Simone
Comment 5 Christian Schwarzgruber 2015-12-11 18:52:29 UTC 
(In reply to Simone Caronni from comment #4)
> Hello, is this still happening on Fedora 22 with the package version you
> specified and the latest policy?

Ahh to bad, I have already upgraded to Fedora 23.

> Can you also have a try with the latest Bacula update and policy on Fedora
> 23?

Sorry, I can't test it with the latest Bacula version, as I use the Bacula-RPM package from Fedora 20. I had to made this decision, as Debian Jessy still uses Bacual 5, the communication between the bacula-server and bacula-fd won't work otherwise.

# rpm -qa | grep bacula 
bacula-console-bat-5.2.13-18.fc20.x86_64
bacula-libs-5.2.13-18.fc20.x86_64
bacula-common-5.2.13-18.fc20.x86_64
bacula-client-5.2.13-18.fc20.x86_64
bacula-traymonitor-5.2.13-18.fc20.x86_64


# rpm -qa | grep selinux
libselinux-utils-2.4-4.fc23.x86_64
selinux-policy-3.13.1-155.fc23.noarch
rpm-plugin-selinux-4.13.0-0.rc1.7.fc23.x86_64
libselinux-2.4-4.fc23.x86_64
libselinux-devel-2.4-4.fc23.x86_64
libselinux-python3-2.4-4.fc23.x86_64
selinux-policy-targeted-3.13.1-155.fc23.noarch
selinux-policy-devel-3.13.1-155.fc23.noarch
libselinux-python-2.4-4.fc23.x86_64

---- Current ----
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29

--- After ---
# getenforce
Enforcing

After setting policy mode to enforcing, I run a Bacula backup job, and did not get any errors.
Seems to be resolved, I will try it again with enforcing set in the config file.

Thanks,
Christian
Comment 6 Christian Schwarzgruber 2015-12-11 19:01:33 UTC 
Hey, seems to work now, I set SELinux to enforcing in the SELinux config file, rebooted, run a bacula backup job, and got no error.

Thanks again,
Christian
Comment 7 Fedora Update System 2015-12-13 12:26:30 UTC 
bacula-7.2.0-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a455e496d4
Comment 8 Fedora Update System 2015-12-14 15:50:18 UTC 
bacula-7.2.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update bacula'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-a455e496d4
Comment 9 Fedora Update System 2016-01-07 19:56:29 UTC 
bacula-7.2.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.