Bug 1576957 - bacula director will not start with SELinux enabled
Summary: bacula director will not start with SELinux enabled
Alias: None
Product: Fedora
Classification: Fedora
Component: bacula
Version: 28
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Simone Caronni
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-10 20:21 UTC by Michael Watters
Modified: 2018-06-12 20:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-12 20:40:13 UTC
Type: Bug

Attachments (Terms of Use)

Description Michael Watters 2018-05-10 20:21:02 UTC
Description of problem:

After upgrading our bacula server to Fedora 28 the director would not start due to SELinux denials.  The AVC from the logs is shown below.

type=AVC msg=audit(1525983183.507:650): avc:  denied  { dac_override } for  pid=3851 comm="bacula-dir" capability=1  scontext=system_u:system_r:bacula_t:s0 tcontext=s
ystem_u:system_r:bacula_t:s0 tclass=capability permissive=0

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. run systemctl start bacula-dir

Actual results:
bacula-dir fails to start

Expected results:
bacula-dir starts

Additional info:
A custom SELinux policy to allow the director to work is show below.

module bacula_dir 1.0;

require {
	type bacula_t;
	class capability dac_override;

#============= bacula_t ==============
allow bacula_t self:capability dac_override;

Comment 1 Paul Howarth 2018-06-09 10:12:33 UTC
This may be a file ownership or permissions issue. Dan Walsh wrote a blog article  that included a but on tracking down what's actually the problem here:


Comment 2 Michael Watters 2018-06-12 20:40:13 UTC
This is indeed a permissions issue.  I chgrp'd the /var/lib/bacula directory to the root group and updated permissions to allow the root user access.  Even though bacula-fd runs as "nobody" it still requires root permissions to create the pid file.

Note You need to log in before you can comment on or make changes to this bug.