Bug 1177051 - bacula-fd generates SELinux alerts when it tries to back up a FIFO.
Summary: bacula-fd generates SELinux alerts when it tries to back up a FIFO.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 21
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-24 00:18 UTC by Paul Johnson
Modified: 2015-01-30 23:55 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-30 23:55:30 UTC
Type: Bug


Attachments (Terms of Use)

Description Paul Johnson 2014-12-24 00:18:40 UTC
Description of problem:

If you run Bacula with SELinux enabled then you get an alert when it the bacula-fd component tries to read a FIFO file.

I guess that the Policy is missing a case for bacula access to a FIFO.


Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-103.fc21.noarch
bacula-client-7.0.5-2.fc21.x86_64


How reproducible:

Every time.


Steps to Reproduce:
1. Enable SELinux
2. Create a named FIFO.
3. Back up the file system containing the FIFO.

Actual results:

SELinux alert (example below)

Expected results:

Backup completes without alert.

Additional info: Full Alert details follow:

SELinux is preventing /usr/sbin/bacula-fd from getattr access on the fifo_file /home/paj/.ICAClient/.tmp/.SR_BEACON_LINUXWrite.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bacula-fd should be allowed getattr access on the .SR_BEACON_LINUXWrite fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bacula-fd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:bacula_t:s0
Target Context                unconfined_u:object_r:mozilla_home_t:s0
Target Objects                /home/paj/.ICAClient/.tmp/.SR_BEACON_LINUXWrite [
                              fifo_file ]
Source                        bacula-fd
Source Path                   /usr/sbin/bacula-fd
Port                          <Unknown>
Host                          eiffel.house
Source RPM Packages           bacula-client-7.0.5-2.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     eiffel.house
Platform                      Linux eiffel.house 3.17.6-300.fc21.x86_64 #1 SMP
                              Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-12-23 23:48:48 GMT
Last Seen                     2014-12-23 23:48:48 GMT
Local ID                      757cf69a-995e-4b7e-8454-f749e837421d

Raw Audit Messages
type=AVC msg=audit(1419378528.677:1231): avc:  denied  { getattr } for  pid=14687 comm="bacula-fd" path="/home/paj/.ICAClient/.tmp/.SR_BEACON_LINUXWrite" dev="dm-3" ino=1052280 scontext=system_u:system_r:bacula_t:s0 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=fifo_file permissive=0


type=SYSCALL msg=audit(1419378528.677:1231): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7fcf8c08e198 a1=7fcf8c00bad0 a2=7fcf8c00bad0 a3=0 items=0 ppid=1 pid=14687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bacula-fd exe=/usr/sbin/bacula-fd subj=system_u:system_r:bacula_t:s0 key=(null)

Hash: bacula-fd,bacula_t,mozilla_home_t,fifo_file,getattr

Comment 1 Daniel Walsh 2015-01-02 12:38:39 UTC
Is Bacula supposed to be doing stuff in the users homedir?

Comment 2 Paul Johnson 2015-01-02 13:19:39 UTC
(In reply to Daniel Walsh from comment #1)
> Is Bacula supposed to be doing stuff in the users homedir?

This is part of backing up. In order to back up a file (or whatever) Bacula first has to stat(2) it. It doesn't seem to have permission to call stat on a FIFO.

Comment 3 Daniel Walsh 2015-01-02 22:18:30 UTC
750774c3140cfcc5fa4a7a71613be19fa7c47679 fixes this in git.

Comment 4 Fedora Update System 2015-01-27 16:50:10 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 5 Fedora Update System 2015-01-30 04:33:02 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-01-30 23:55:30 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.