1226721 – bacula-fd fails restoring files due to insufficient permissions

Bug 1226721 - bacula-fd fails restoring files due to insufficient permissions

Summary: bacula-fd fails restoring files due to insufficient permissions

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bacula
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Simone Caronni
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-31 21:48 UTC by Christian Schwarzgruber
Modified:	2016-01-07 19:56 UTC (History)
CC List:	6 users (show)
Fixed In Version:	bacula-7.2.0-3.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-07 19:56:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Bacula-fd journaltctl debug output. (14.32 KB, text/plain) 2015-05-31 21:48 UTC, Christian Schwarzgruber	no flags	Details
View All

Description Christian Schwarzgruber 2015-05-31 21:48:55 UTC

Created attachment 1033001 [details]
Bacula-fd journaltctl debug output.

Description of problem: Bacula restore job fails as bacula-fd has insufficient permissions to create files/folders etc.


Version-Release number of selected component (if applicable): 
bacula-client-5.2.13-18.fc20.x86_64 -> Needed this version as on the server runs version 5 too.

How reproducible:
Always reproducible as long as bacula-fd gets started through systemd.


Actual results:
Bacula restore job fails. 

Expected results:
Restore job does not fail.

Additional info:
When I start bacula-fd manually
$ sudo /usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd -u root -g root
restoring of the files work.

Also I want to point out that backups are ending without any error.

Comment 1 Christian Schwarzgruber 2015-05-31 22:25:56 UTC

Update:

Seems like SELinux problem. When setting SELinux policy to 'permissive' restoring of the files work.

Comment 2 Christian Schwarzgruber 2015-05-31 22:55:23 UTC

One more update:

Ok it turned out that the backup jobs are having also some permission problems.
Again, setting SELinux policy to permissive let the errors disappear.

Installed SELinux is:
selinux-policy-3.13.1-126.fc22.noarch

Here is the output of the failed files to backup, with SELinux policy set to enforce,
all three files are socket files.

```
Could not stat "/var/lib/gssproxy/default.sock": ERR=Permission denied
Could not stat "/home/cschwarzgruber/.gnupg/S.gpg-agent": ERR=Permission denied
Could not stat "/home/cschwarzgruber/.rdm": ERR=Permission denied
```

Comment 3 Simon Sekidde 2015-08-05 22:37:28 UTC

For the SELinux portion, please provide the AVCs while in permissive mode 

 # ausearch -i -m avc > ausearch.out

Comment 4 Simone Caronni 2015-12-11 11:56:24 UTC

Hello, is this still happening on Fedora 22 with the package version you specified and the latest policy?

Can you also have a try with the latest Bacula update and policy on Fedora 23?

https://bodhi.fedoraproject.org/updates/FEDORA-2015-a455e496d4

Thanks,
--Simone

Comment 5 Christian Schwarzgruber 2015-12-11 18:52:29 UTC

(In reply to Simone Caronni from comment #4)
> Hello, is this still happening on Fedora 22 with the package version you
> specified and the latest policy?

Ahh to bad, I have already upgraded to Fedora 23.

> Can you also have a try with the latest Bacula update and policy on Fedora
> 23?

Sorry, I can't test it with the latest Bacula version, as I use the Bacula-RPM package from Fedora 20. I had to made this decision, as Debian Jessy still uses Bacual 5, the communication between the bacula-server and bacula-fd won't work otherwise.

# rpm -qa | grep bacula 
bacula-console-bat-5.2.13-18.fc20.x86_64
bacula-libs-5.2.13-18.fc20.x86_64
bacula-common-5.2.13-18.fc20.x86_64
bacula-client-5.2.13-18.fc20.x86_64
bacula-traymonitor-5.2.13-18.fc20.x86_64


# rpm -qa | grep selinux
libselinux-utils-2.4-4.fc23.x86_64
selinux-policy-3.13.1-155.fc23.noarch
rpm-plugin-selinux-4.13.0-0.rc1.7.fc23.x86_64
libselinux-2.4-4.fc23.x86_64
libselinux-devel-2.4-4.fc23.x86_64
libselinux-python3-2.4-4.fc23.x86_64
selinux-policy-targeted-3.13.1-155.fc23.noarch
selinux-policy-devel-3.13.1-155.fc23.noarch
libselinux-python-2.4-4.fc23.x86_64

---- Current ----
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29

--- After ---
# getenforce
Enforcing

After setting policy mode to enforcing, I run a Bacula backup job, and did not get any errors.
Seems to be resolved, I will try it again with enforcing set in the config file.

Thanks,
Christian

Comment 6 Christian Schwarzgruber 2015-12-11 19:01:33 UTC

Hey, seems to work now, I set SELinux to enforcing in the SELinux config file, rebooted, run a bacula backup job, and got no error.

Thanks again,
Christian

Comment 7 Fedora Update System 2015-12-13 12:26:30 UTC

bacula-7.2.0-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a455e496d4

Comment 8 Fedora Update System 2015-12-14 15:50:18 UTC

bacula-7.2.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update bacula'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-a455e496d4

Comment 9 Fedora Update System 2016-01-07 19:56:29 UTC

bacula-7.2.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.