1154158 – New SELinux policy for bacula doesn't allow running (unconfined) "Run Before Job"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1154158 - New SELinux policy for bacula doesn't allow running (unconfined) "Run Before Job"

Summary: New SELinux policy for bacula doesn't allow running (unconfined) "Run Before ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.6
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-17 17:09 UTC by Robert Scheck
Modified:	2019-07-11 08:16 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.7.19-261.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-22 07:09:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1375	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-07-20 18:07:47 UTC

Description Robert Scheck 2014-10-17 17:09:49 UTC

Description of problem:
In "/etc/bacula/bacula-dir.conf" you can add a script that needs to be run
before the real backup job is done, e.g.

--- snip ---
JobDefs {
  Name = "CatalogJob"
  Type = Backup
  Client = bacula-fd
  Storage = CatalogFile
  Messages = Standard
  Pool = "Bacula Catalog Daily"
  Priority = 10
  Run Before Job = "/root/bin/bacula-mount.sh"
}
--- snap ---

# ls -lZ /root/bin/bacula-mount.sh 
-rwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 /root/bin/bacula-mount.sh

# cat /root/bin/bacula-mount.sh 
#!/bin/bash

MNT="/backup"

if [ $(grep -c $MNT /proc/mounts) -eq 0 ]; then
  echo "Mounting $MNT for Bacula..."
  mount $MNT

  if [ $(grep -c /backup /proc/mounts) -eq 0 ]; then
    echo "Error: Mounting $MNT failed!"
    exit 1
  else
    echo "Mounting $MNT succeeded!"
  fi
fi
# 

Version-Release number of selected component (if applicable):
bacula-director-common-5.0.0-12.el6.x86_64
bacula-director-sqlite-5.0.0-12.el6.x86_64
selinux-policy-3.7.19-260.el6.noarch
selinux-policy-targeted-3.7.19-260.el6.noarch

How reproducible:
Everytime, see above.

Actual results:
New SELinux policy (since RHEL 6.6 as it seems) for bacula doesn't allow 
running (unconfined) "Run Before Job".

Expected results:
Allow running (unconfined) scripts from bacula as needed.

Additional info:
type=AVC msg=audit(1413497102.674:4794): avc:  denied  { execute } for  pid=28886 comm="bacula-dir" name="bacula-mount.sh" dev=drbd0 ino=2228231 scontext=unconfined_u:system_r:bacula_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1413497102.674:4794): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f3db4001440 a1=7f3dbbc36660 a2=7fff7898cad8 a3=7f3dbbc363e0 items=0 ppid=12785 pid=28886 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=bacula-dir exe=/usr/sbin/bacula-dir.sqlite subj=unconfined_u:system_r:bacula_t:s0 key=(null)

Comment 1 Robert Scheck 2014-10-17 17:15:32 UTC

Cross-filed cases #01265630 (ourself), #01265635 (customer1), #01265639 
(customer2) on the Red Hat customer portal.

Comment 3 Robert Scheck 2014-10-17 17:22:34 UTC

If you allow above AVC denied you will simply receive:

type=AVC msg=audit(1413565451.766:10787): avc:  denied  { execute_no_trans } for  pid=5811 comm="bacula-dir" path="/data/root/bin/bacula-mount.sh" dev=drbd0 ino=2228231 scontext=unconfined_u:system_r:bacula_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1413565451.766:10787): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fc8c4002b80 a1=7fc8ce403660 a2=7fff84d62428 a3=3236818240 items=0 ppid=2846 pid=5811 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=522 comm=bacula-dir exe=/usr/sbin/bacula-dir.sqlite subj=unconfined_u:system_r:bacula_t:s0 key=(null)

Comment 4 Simon Sekidde 2014-10-18 18:21:59 UTC

Robert, 

What does `ls -lZ /data/root/bin/bacula-mount.sh` show?

Comment 5 Simon Sekidde 2014-10-18 18:28:51 UTC

(In reply to Simon Sekidde from comment #4)
> Robert, 
> 
> What does `ls -lZ /data/root/bin/bacula-mount.sh` show?

Sorry that should have been

  `restorecon -Rv /data/root/bin/bacula-mount.sh`

Comment 6 Robert Scheck 2014-10-18 20:33:52 UTC

Nothing, because /data/root should have the same labels like /root (in our
case at least, it is on DRBD in this case but we saw the same without DRBD).

Comment 7 Miroslav Grepl 2014-10-20 13:42:19 UTC

We will need to add a new type

bacula_unconfined_script_t

for these scripts.

Comment 9 Andreas Rogge 2015-01-19 14:14:15 UTC

Any Idea when this is going to happen? We're really waiting for that, because right now we cannot upgrade to 6.6 due to this issue.

Comment 11 Tommy McNeely 2015-02-18 08:25:01 UTC

We just hit this same problem (well realized that we hit it back when we patched, bad times).

WORKAROUND:

* Proper Workaround:  Create a local selinux policy using audit2allow -M (using the AVC deny from above.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html


In my case, since I actually put the "script" into bacula's home directory (/var/spool/bacula), the "type" is bacula_spool_t, so I just need the following

```
#============= bacula_t ==============
allow bacula_t bacula_spool_t:file execute;
```



* Improper (easy) workaround: `semodule -d bacula` (which disables the bacula selinux module, but otherwise leaves selinux enabled on the server.

Comment 12 Tommy McNeely 2015-02-18 08:42:27 UTC

OK, I actually ended up with a bit more "advanced" policy file after my first and secon attempt :) ...


[root@deathstar ~]# cat mybacula.te 

module mybacula 1.0;

require {
	type ssh_exec_t;
	type bacula_exec_t;
	type port_t;
	type bacula_spool_t;
	type automount_var_run_t;
	type bacula_t;
	class tcp_socket name_bind;
	class fifo_file getattr;
	class file { execute execute_no_trans };
}

#============= bacula_t ==============
allow bacula_t automount_var_run_t:fifo_file getattr;
allow bacula_t bacula_exec_t:file execute_no_trans;
allow bacula_t bacula_spool_t:file execute;

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow bacula_t port_t:tcp_socket name_bind;
allow bacula_t ssh_exec_t:file { execute execute_no_trans };


-----------


Now, our "script" executes "ssh" to create a port forward (tunnel) to allow bacula to work over the Internet, so that changes the policy above slightly (adds the ssh_exec_t part). What I mean to say is that once you have "allowed" your script to run, you will need to "allow" anything else it does too.

Here are the "steps" involved (at your own risk of course):

* setenforce 0
* tail -fn 0 /var/log/audit/audit.log | grep bacula > backup-audit.log
* (run a backup that has a pre-script)
* cat backup-audit.log | audit2allow -M mybacula
* REVIEW mybacula.te
* INSTALL: semodule -i mybacula.pp
* TEST: run another backup, ensure you get no more AVC DENIED messages in audit.log
* setenforce 1

Comment 13 Miroslav Grepl 2015-03-02 15:01:12 UTC

commit 5fef7cd165f44d03892ec7cb21550a724f4052fb
Author: Miroslav Grepl <mgrepl>
Date:   Mon Mar 2 16:00:26 2015 +0100

    Add bacula fixes related to unconfined scripts based on ssekidde patch.

Comment 15 Robert Scheck 2015-04-01 12:19:22 UTC

When is this going to reach the regular repositories?

Comment 17 errata-xmlrpc 2015-07-22 07:09:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html

Comment 18 Alex Kruppa 2015-08-07 08:44:47 UTC

(In reply to errata-xmlrpc from comment #17)
> Since the problem described in this bug report should be
> resolved in a recent advisory, it has been closed with a
> resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated
> files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://rhn.redhat.com/errata/RHBA-2015-1375.html

Will there be an selinux update containing the bugfixes with RHEL 7? We discovered same problems appearing in RHEL 7 as well. 

Even bacula_t is not able to write into tmp_t when it is a fifo file to write (makefifo). Reading fifos (getattr) is not possible, too. Refer to 1177051. I am curious why selinux updates containg major bugfixes for bacula are not released for rhel7 as well? 

Thx for help

Comment 19 Miroslav Grepl 2015-08-07 09:15:51 UTC

(In reply to Alex Kruppa from comment #18)
> (In reply to errata-xmlrpc from comment #17)
> > Since the problem described in this bug report should be
> > resolved in a recent advisory, it has been closed with a
> > resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated
> > files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://rhn.redhat.com/errata/RHBA-2015-1375.html
> 
> Will there be an selinux update containing the bugfixes with RHEL 7? We
> discovered same problems appearing in RHEL 7 as well. 
> 
> Even bacula_t is not able to write into tmp_t when it is a fifo file to
> write (makefifo). Reading fifos (getattr) is not possible, too. Refer to
> 1177051. I am curious why selinux updates containg major bugfixes for bacula
> are not released for rhel7 as well? 
> 
> Thx for help

Yes, it should be a part of RHEL-7.2.

Comment 20 Andreas Rogge 2015-08-08 08:35:55 UTC

First of all thank you for handling this issue.

However, I have no idea what to do to make this work again. Is there a selinux-type that the script needs?
*Any* kind of documentation would be really nice.

Thank you!

Comment 21 Robert Scheck 2015-08-08 08:42:51 UTC

I usually use for a bacula script "/root/bin/bacula-mount.sh" this:

  semanage fcontext -a -f 'all files' \
    -t bacula_unconfined_script_exec_t '/root/bin/bacula-mount.sh'
  restorecon -v /root/bin/bacula-mount.sh

Note You need to log in before you can comment on or make changes to this bug.