Description of problem: After upgrading our bacula server to Fedora 28 the director would not start due to SELinux denials. The AVC from the logs is shown below. type=AVC msg=audit(1525983183.507:650): avc: denied { dac_override } for pid=3851 comm="bacula-dir" capability=1 scontext=system_u:system_r:bacula_t:s0 tcontext=s ystem_u:system_r:bacula_t:s0 tclass=capability permissive=0 Version-Release number of selected component (if applicable): 9.0.6 How reproducible: Steps to Reproduce: 1. run systemctl start bacula-dir Actual results: bacula-dir fails to start Expected results: bacula-dir starts Additional info: A custom SELinux policy to allow the director to work is show below. module bacula_dir 1.0; require { type bacula_t; class capability dac_override; } #============= bacula_t ============== allow bacula_t self:capability dac_override;
This may be a file ownership or permissions issue. Dan Walsh wrote a blog article that included a but on tracking down what's actually the problem here: https://danwalsh.livejournal.com/34903.html
This is indeed a permissions issue. I chgrp'd the /var/lib/bacula directory to the root group and updated permissions to allow the root user access. Even though bacula-fd runs as "nobody" it still requires root permissions to create the pid file.