Re: [Bacula-users] CentOS 6.6 SELINUX Problems BACULA 5.2.18 [Help]

Hey Simone

Thank you for your input I followed your instructions and I was able to fix (*some of) the SELinux errors with "audit2allow" backup/restore seems to be working again I will continue testing and see if I encounter any more problems.

Things was not as easy or as straight forward as you presented it but after a lots of reading on SELinux and "audit2allow" and countless trial and errors I was able to fix my backup/restore problems. For some reason most of the problems seems to be related to bacula-sd wanting to read,write,etc on files and directory, I will continue watch and update you.

Thanks Again

On 11/10/2014 09:45 AM, Simone Caronni wrote:

It's a difficult topic but it's very rewarding :)

My suggestion is, assuming you have the system in SELinux enforcing mode:

- Install "policycoreutils-python" for SELinux debugging tools

- Ask for relabeling of the system (fixfiles onboot) & reboot to let the actual relabel happen

- Stop Bacula daemons

- Clear files in /var/log/audit/

- Set system in permissive mode (setenforce 0)

- Start bacula and do whatever you need to test

- Launch "audit2allow -a" or look directly in "/var/log/audit/audit.log" for hints

- Fix what you need to fix and re-enable SELinux (setenforce 1)

Redhat SELinux administration's guide for RHEL 7/6:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html

Regards,

--Simone

On 10 November 2014 15:10, Humphrey Bryant <hbryant AT fogadaley DOT com> wrote:

Hey Simone,

Thanks for the reply, indeed you are right its not related to bacula but I was just trying to get some feedback from other users who might have experienced this issue.

I don’t really know where to start debugging SELINUX so i guess I have some reading to do. I will have a look on the Red Hat Docs but If you know any useful SELINUX links please email me some, thanks much.

Regards

On 11/09/2014 04:27 AM, Simone Caronni wrote:

Hello,

you should do some debugging on the SELinux side, this is not related to
Bacula. It is too complicated to explain by mail, Redhat docs are very
good in this regard.

On Fri, 2014-11-07 at 13:06 -0500, Humphrey Bryant wrote:

I check, recheck and double check all permissions on my volumes/files
and directory and everything was OK but when i run the backup they
still hang nonetheless. It was after I temporarily disabled SELINUX
backup start working again, so I am of the conclusion that SELINUX is
at fault here..

I need some help getting SELINUX to play nice with Bacula on CENTOS
6.6, can anyone here help me out please. any one can help me create a
policy or something, I don’t want to upgrade my production server and
have this same problem.

First of all, you can try to relabel your filesystem in case you have
some mislabeled file; as root do "fixfiles onboot" and reboot the
system.

Second, you can delete all files in "/var/log/audit/" and make the
problem reappear, so you can debug the SELinux permission problems with
"audit2allow -a" or by looking directly at a clean
"/var/log/audit/audit.log" file.

Then, it's worth saying that "/backup" is not a path that is part of
SELinux labels. It is not a problem by itself (it should work anyway)
but my suggestion is to use "/bacula/" as the path for your backups.

# semanage fcontext -l | grep bacula
/bacula(/.*)? all files
system_u:object_r:bacula_store_t:s0
/etc/bacula.* all files
system_u:object_r:bacula_etc_t:s0
/etc/rc\.d/init\.d/bacula.* regular file
system_u:object_r:bacula_initrc_exec_t:s0
/usr/sbin/bacula.* regular file
system_u:object_r:bacula_exec_t:s0
/usr/sbin/bat regular file
system_u:object_r:bacula_admin_exec_t:s0
/usr/sbin/bconsole regular file
system_u:object_r:bacula_admin_exec_t:s0
/var/lib/bacula.* all files
system_u:object_r:bacula_var_lib_t:s0
/var/log/bacula.* all files
system_u:object_r:bacula_log_t:s0
/var/run/bacula.* regular file
system_u:object_r:bacula_var_run_t:s0
/var/spool/bacula.* all files
system_u:object_r:bacula_spool_t:s0
/var/spool/bacula/log(/.*)? all files
system_u:object_r:var_log_t:s0

Regards,
--Simone

--
Best Regards
Humphrey Bryant
Information System Admin
Foga Daley
Attorneys-at-Law
7 Stanton Terrace
Kingston 6
Tel - (876) 927-4371-5
Fax - (876) 927-5081

This E-mail contains information which is confidential and privileged.
Unless you are the addressee (or authorised to receive for the
addressee), you may not use, copy or disclose to anyone the message or
information contained in it. If you have received this e-mail in error,
please destroy it and advise the sender.

--

You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson).

http://xkcd.com/229/
http://negativo17.org/

-- 
Best Regards
Humphrey Bryant
Information System Admin
Foga Daley
Attorneys-at-Law
7 Stanton Terrace
Kingston 6
Tel - (876) 927-4371-5
Fax - (876) 927-5081

This E-mail contains information which is confidential and privileged.
Unless you are the addressee (or authorised to receive for the
addressee), you may not use, copy or disclose to anyone the message or
information contained in it.  If you have received this e-mail in error,
please destroy it and advise the sender.

hbryant.vcf
Description: Vcard

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users