On 5/1/2015 2:18 AM, Kern Sibbald wrote:
> Hello,
>
> Concerning SELinux: I tried running with SELinux for awhile quite a
> long time ago, and it turned out to be more painful than useful, so I
> turned it off. I had turned it on to learn it and to write Bacula
> policies, but never got that far.
I've had the same experience with it after more than one attempt. The
crux of the issue is that a backup app like Bacula is anti-SELinux by
nature, since it must have read/write access to every single file on the
system. At least, that is the case for the client daemon. SELinux even
blocks the root user. Even the Dir daemon has features unfriendly to
SELinux, like RunScript, that are nevertheless important and essential
capabilities.
IMHO, the real issue is that SELinux does not have its own errno values.
Since it is another layer of access permissions, separate from
filesystem permissions, an SELinux denial should never return EACCES, as
that has always meant a filesystem permissions denial. If there were
errno value(s) specific to SELinux, then apps could warn that "SELinux
is preventing access to ...". Granted, SELinux has yet another API for
checking SELinux access permissions, but it far easier for apps to add
an error message for a specific errno than to incorporate yet another
API, so many devs do not bother. This leaves the user with insufficient
feedback. Worse, the mapping to existing errno values is not always
1-to-1 and can cause an app's error reporting to actively mislead the
user. This is what leads to an app reporting "file not found" when it
should be reporting "file exists, but SELinux doesn't allow you to see it".
>
> That said: since Bacula is part of the RedHat release, it is very likely
> that they already have policies for Bacula that might work for you. If
> not, I know that they have policies (or had policies) for Amanda, and
> that might also be a good starting point as the needs of the programs
> are similar.
>
> If someone does have SELinux policies for Bacula, I would appreciate if
> you would contribute them to the community.
>
> Best regards,
> Kern
Fedora maintainer Simone Caronni frequents thie bacula-users list and
likely knows the answer to that.
>
> On 01.05.2015 04:40, Frank Sweetser wrote:
>> A full solution would be to write an selinux policy, either on your own
>> (search for Dan Walsh, he has some excellent selinux troubleshooting guides)
>> or by opening a bug report with RedHat. For a temporary solution, you can
>> briefly bypass selinux with the command
>>
>> setenforce 0
>>
>> This will let you run your restore.
>>
>> Frank Sweetser fs at wpi.edu | For every problem, there is a solution
>> that
>> Manager of Network Operations | is simple, elegant, and wrong.
>> Worcester Polytechnic Institute | - HL Mencken
>>
>> On 4/30/2015 6:25 PM, Craig Shiroma wrote:
>>> Hi Frank,
>>>
>>> Thank you very much for the info! Yes, this is a RHEL 6.6 box that I'm
>>> trying
>>> to restore to. After using Romeo's check, it seems selinux is blocking the
>>> restore.
>>>
>>> Is there a best practice for dealing with this situation?
>>>
>>> Thanks again,
>>> -craig
>>>
>>>
>>> On Thu, Apr 30, 2015 at 4:06 AM, Frank Sweetser <fs AT wpi DOT edu
>>> <mailto:fs AT wpi DOT edu>> wrote:
>>>
>>>
>>> Is this a RedHat/CentOS box? They've recently made some changes to the
>>> selinux configuration around bacula which prevents it from taking
>>> pretty much
>>> any action other thank backups, including running scripts or creating
>>> files.
>>>
>>> Frank Sweetser fs at wpi.edu <http://wpi.edu> | For every problem,
>>> there is a solution that
>>> Manager of Network Operations | is simple, elegant, and wrong.
>>> Worcester Polytechnic Institute | - HL Mencken
>>>
>>> On 4/29/2015 9:01 PM, Craig Shiroma wrote:
>>> > Hello,
>>> >
>>> > I'm trying to a restore file to a different host's /tmp. I've
>>> select the
>>> > target host by changing the value of Restore Client during the
>>> restore
>>> > process, selecting the desired target host to restore to from the
>>> hosts
>>> list
>>> > presented. However, when I attempt the restore, I get the
>>> following error
>>> > message:
>>> >
>>> > 2015-04-29 14:30:09<target_hostname> JobId 83765: Error:
>>> makepath.c:142
>>> Cannot
>>> > create directory /tmp/etc: ERR=Permission denied
>>> >
>>> > Any idea what could be causing the problem? Restoring to the source
>>> host is
>>> > no problem.
>>> >
>>> > Note: I replaced the actual hostname with "<target_hostname>" in
>>> the above
>>> > error message.
>>> >
>>> > Thanks in advance,
>>> >
>>> > -Craig
>>> >
>>> >
>>> >
>>> >
>>>
>>> ------------------------------------------------------------------------------
>>> > One dashboard for servers and applications across
>>> Physical-Virtual-Cloud
>>> > Widest out-of-the-box monitoring support with 50+ applications
>>> > Performance metrics, stats and reports that give you Actionable
>>> Insights
>>> > Deep dive visibility with transaction tracing using APM Insight.
>>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Bacula-users mailing list
>>> > Bacula-users AT lists.sourceforge DOT net
>>> <mailto:Bacula-users AT lists.sourceforge DOT net>
>>> > https://lists.sourceforge.net/lists/listinfo/bacula-users
>>> >
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across
>>> Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable
>>> Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Bacula-users mailing list
>>> Bacula-users AT lists.sourceforge DOT net <mailto:Bacula-users AT
>>> lists.sourceforge DOT net>
>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>
>>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Bacula-users mailing list
>> Bacula-users AT lists.sourceforge DOT net
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
