Bug 1741609
Summary: | SELinux is preventing bacula-fd from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | jan.vesely |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 30 | CC: | andreas, dwalsh, grepl.miroslav, jpkorva, jridky, lvrabec, mgrepl, negativo17, phracek, plautrba, rvokal, vdolezal, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:2f1ecfb848afaddddfa6bafb2ada18cd71628970a7895c94f331ce714a80ea0a;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.3-57.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-05 03:54:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
jan.vesely
2019-08-15 14:46:39 UTC
Hi Bacula devs, Does Bacula require to bypass DAC permissions also for writing on filesystem or search/read is enough? I assume for creating backup reasing the whole filesystem should be enough. Thanks, Lukas. *** Bug 1747133 has been marked as a duplicate of this bug. *** *** Bug 1771634 has been marked as a duplicate of this bug. *** Simone and bacula folks, bacula-fd requested the dac_override capability which is not allowed for the bacula_t domain. However, there already is dac_read_search granted: Is it sufficient for having bacula working? I will make some tests. I got "dac_override" error while restoring folder structure to /var/tmp/bacula-restores on CentOS 8.1. At a quick glance it seems that I can't restore subfolders owned by regular users (non-root). I've submitted a PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/204 commit 7c4e8a4167103ac7bca5c46c1625906f6bdc4608 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Feb 10 14:38:16 2020 +0100 Allow bacula dac_override capability The dac_override capability is needed to restore permissions and ownership. Resolves: rhbz#1741609 FEDORA-2020-cde9529d3d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2020-cde9529d3d selinux-policy-3.14.3-57.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-cde9529d3d FEDORA-2020-cde9529d3d has been pushed to the Fedora 30 stable repository. If problem still persists, please make note of it in this bug report. |