RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1208117 - SELinux policy for bacula doesn't allow writing backup files to NFS/CIFS share
Summary: SELinux policy for bacula doesn't allow writing backup files to NFS/CIFS share
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Simon Sekidde
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On:
Blocks: 1234410
TreeView+ depends on / blocked
 
Reported: 2015-04-01 12:48 UTC by Robert Scheck
Modified: 2019-08-15 04:26 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-25.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1234410 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:29:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1154164 0 medium CLOSED New SELinux policy for bacula doesn't allow writing backup files to NFS/CIFS share 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Robert Scheck 2015-04-01 12:48:12 UTC 
Description of problem:
If you configure bacula that backup files get written to a NFS share (e.g.
provided by a NAS which is not capable to run bacula itself) this is going
to fail in RHEL 7.x (quite similar like since RHEL 6.6).

Version-Release number of selected component (if applicable):
bacula-libs-5.2.13-18.el7.x86_64
bacula-libs-sql-5.2.13-18.el7.x86_64
bacula-common-5.2.13-18.el7.x86_64
bacula-director-5.2.13-18.el7.x86_64
bacula-client-5.2.13-18.el7.x86_64
bacula-console-5.2.13-18.el7.x86_64
bacula-storage-5.2.13-18.el7.x86_64
selinux-policy-3.13.1-23.el7.noarch
selinux-policy-targeted-3.13.1-23.el7.noarch

How reproducible:
Everytime, see above.

Actual results:
SELinux policy for bacula doesn't allow writing backup files to NFS share.

Expected results:
Allow writing backups to whatever location is needed for administrators.
Comment 1 Robert Scheck 2015-04-01 12:49:01 UTC 
The same (?) issue for RHEL 6.6 is tracked via bug #1154164
Comment 2 Robert Scheck 2015-04-01 12:49:11 UTC 
type=AVC msg=audit(1427857503.087:12427): avc:  denied  { write } for  pid=22751 comm="bacula-sd" name="bacula" dev="0:37" ino=76939267 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1427857503.087:12427): avc:  denied  { add_name } for  pid=22751 comm="bacula-sd" name="Tux-Full-0023" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1427857503.087:12427): avc:  denied  { create } for  pid=22751 comm="bacula-sd" name="Tux-Full-0023" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1427857503.087:12427): avc:  denied  { write } for  pid=22751 comm="bacula-sd" path="/backup/Tux/bacula/Tux-Full-0023" dev="0:37" ino=76939313 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1427857503.087:12427): arch=c000003e syscall=2 success=yes exit=7 a0=7ff53c025d50 a1=42 a2=1a0 a3=ffffc000 items=0 ppid=1 pid=22751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bacula-sd" exe="/usr/sbin/bacula-sd" subj=system_u:system_r:bacula_t:s0 key=(null)
type=AVC msg=audit(1427857803.377:12428): avc:  denied  { write } for  pid=32635 comm="bacula-sd" name="bacula" dev="0:37" ino=76939271 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1427857803.377:12428): avc:  denied  { add_name } for  pid=32635 comm="bacula-sd" name="Bacula-Full-0024" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1427857803.377:12428): arch=c000003e syscall=2 success=yes exit=7 a0=7ff53c025d50 a1=42 a2=1a0 a3=7ff54d9fcbc4 items=0 ppid=1 pid=32635 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bacula-sd" exe="/usr/sbin/bacula-sd" subj=system_u:system_r:bacula_t:s0 key=(null)
Comment 3 Robert Scheck 2015-04-01 12:56:08 UTC 
And I guess bug #1154158 (from RHEL 6.6) will also apply for RHEL 7.x then?
Comment 9 Robert Scheck 2015-08-13 18:52:14 UTC 
This might be not relevant to this (because it might be already addressed
for the not yet available update, but): Since updating to selinux-policy-
3.13.1-23.el7_1.13.noarch we see this via sealert (again?):

type=AVC msg=audit(1439417103.39:2910): avc:  denied  { write } for  pid=41781 comm="bacula-sd" name="Incremental-0023" dev="0:35" ino=34213544 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1439417103.39:2910): arch=x86_64 syscall=open success=yes exit=ENXIO a0=7f1f3c024770 a1=2 a2=1a0 a3=7f1f41cda2d0 items=0 ppid=1 pid=41781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bacula-sd exe=/usr/sbin/bacula-sd subj=system_u:system_r:bacula_t:s0 key=(null)

And aside of this we still would like to see the updated selinux-policy for
RHEL 7.1... ;-)
Comment 10 Simon Sekidde 2015-08-13 19:47:16 UTC 
Robert, 

This fix exists in the RHEL 7 preliminary test builds under the 'use_nfs_home_dirs' boolean
Comment 13 errata-xmlrpc 2015-11-19 10:29:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html
Comment 14 Robert Scheck 2015-11-20 13:24:34 UTC 
I am not sure how this would be fixed. The booleans that were introduced for
RHEL 6 were not introduced by selinux-policy-3.13.1-60.el7.noarch in RHEL 7,
but why?

RHEL 7.2:
$ getsebool -a | grep bacula
$ 

RHEL 6.7
$ getsebool -a | grep bacula
bacula_use_nfs --> on
bacula_use_samba --> off
$
Comment 15 Milos Malik 2015-11-20 13:31:01 UTC 
The bacula_t domain is allowed to access CIFS / NFS when following booleans are enabled:
 * use_nfs_home_dirs
 * use_samba_home_dirs
Comment 16 Robert Scheck 2015-11-20 17:24:22 UTC 
Right, that works here (while I dislike the different boolean names) - thanks!
Note You need to log in before you can comment on or make changes to this bug.