Bug 1576957

Summary: bacula director will not start with SELinux enabled
Product: [Fedora] Fedora Reporter: Michael Watters <wattersm>
Component: baculaAssignee: Simone Caronni <negativo17>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 28CC: andreas, jridky, negativo17, paul, phracek, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-12 20:40:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Watters 2018-05-10 20:21:02 UTC 
Description of problem:

After upgrading our bacula server to Fedora 28 the director would not start due to SELinux denials.  The AVC from the logs is shown below.

type=AVC msg=audit(1525983183.507:650): avc:  denied  { dac_override } for  pid=3851 comm="bacula-dir" capability=1  scontext=system_u:system_r:bacula_t:s0 tcontext=s
ystem_u:system_r:bacula_t:s0 tclass=capability permissive=0


Version-Release number of selected component (if applicable):

9.0.6

How reproducible:


Steps to Reproduce:
1. run systemctl start bacula-dir

Actual results:
bacula-dir fails to start

Expected results:
bacula-dir starts

Additional info:
A custom SELinux policy to allow the director to work is show below.

module bacula_dir 1.0;

require {
	type bacula_t;
	class capability dac_override;
}

#============= bacula_t ==============
allow bacula_t self:capability dac_override;
Comment 1 Paul Howarth 2018-06-09 10:12:33 UTC 
This may be a file ownership or permissions issue. Dan Walsh wrote a blog article  that included a but on tracking down what's actually the problem here:

https://danwalsh.livejournal.com/34903.html
Comment 2 Michael Watters 2018-06-12 20:40:13 UTC 
This is indeed a permissions issue.  I chgrp'd the /var/lib/bacula directory to the root group and updated permissions to allow the root user access.  Even though bacula-fd runs as "nobody" it still requires root permissions to create the pid file.