After recently upgrading my server to Fedora 22, I ran a bacula
restore which generated a whole bunch of AVCs. I created a policy and ran another restore which generated more AVCs. After looking at the new audit2allow output: module my_bacula-fd.more 1.0; require { type user_home_dir_t; type home_root_t; type user_home_t; type samba_share_t; type bacula_t; class file relabelto; class dir { write relabelto }; } #============= bacula_t ============== #!!!! WARNING: 'home_root_t' is a base type. allow bacula_t home_root_t:dir relabelto; allow bacula_t samba_share_t:dir relabelto; allow bacula_t samba_share_t:file relabelto; allow bacula_t user_home_dir_t:dir relabelto; allow bacula_t user_home_t:dir write; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (system_u) and target user (unconfined_u) are different. allow bacula_t user_home_t:dir relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (system_u) and target user (unconfined_u) are different. allow bacula_t user_home_t:file relabelto; I realized I was chasing my tail trying to generate a policy for this. home_root_t is because I'm restoring a user's home directory and bacula-fd has to create /bacula/bacula-restores/home. Also note that I've moved the default restore location to /bacula/bacula-restores because my first attempt to /tmp filled it up and the world stopped. It seems to me that bacula-fd should run unconfined to that it can relabel the files it restores. Note, bacula-fd is different that its cousins bacula-dir and bacula-sd because those two don't need access to everything. I thought of changing /usr/sbin/bacula-fd to unconfined_t but then if bacula-fd is ever upgraded it will break again. What's the best way to handle this? Bill Shirley |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux