On 08/23/2015 07:53 AM, Bill shirley
wrote:
After recently upgrading my server to Fedora 22, I ran a bacula
restore which generated a
whole bunch of AVCs. I created a policy and ran another restore
which generated more
AVCs. After looking at the new audit2allow output:
module my_bacula-fd.more 1.0;
require {
type user_home_dir_t;
type home_root_t;
type user_home_t;
type samba_share_t;
type bacula_t;
class file relabelto;
class dir { write relabelto };
}
#============= bacula_t ==============
#!!!! WARNING: 'home_root_t' is a base type.
allow bacula_t home_root_t:dir relabelto;
allow bacula_t samba_share_t:dir relabelto;
allow bacula_t samba_share_t:file relabelto;
allow bacula_t user_home_dir_t:dir relabelto;
allow bacula_t user_home_t:dir write;
#!!!! This avc is a constraint violation. You would need to
modify the attributes of either the source or target types to
allow this access.
#Constraint rule:
# constrain dir { create relabelfrom relabelto } ((u1 ==
u2 -Fail-) or (t1 == can_change_object_identity -Fail-) );
Constraint DENIED
# Possible cause is the source user (system_u) and target
user (unconfined_u) are different.
allow bacula_t user_home_t:dir relabelto;
#!!!! This avc is a constraint violation. You would need to
modify the attributes of either the source or target types to
allow this access.
#Constraint rule:
# constrain file { create relabelfrom relabelto } ((u1 ==
u2 -Fail-) or (t1 == can_change_object_identity -Fail-) );
Constraint DENIED
# Possible cause is the source user (system_u) and target
user (unconfined_u) are different.
allow bacula_t user_home_t:file relabelto;
I realized I was chasing my tail trying to generate a policy for
this.
home_root_t is because I'm restoring a user's home directory and
bacula-fd has to create
/bacula/bacula-restores/home. Also note that I've moved the
default restore location to
/bacula/bacula-restores because my first attempt to /tmp filled it
up and the world stopped.
It seems to me that bacula-fd should run unconfined to that it can
relabel the files it restores.
Note, bacula-fd is different that its cousins bacula-dir and
bacula-sd because those two don't
need access to everything.
I thought of changing /usr/sbin/bacula-fd to unconfined_t but then
if bacula-fd is ever upgraded
it will break again.
What's the best way to handle this?
Bill Shirley
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
If it is running restorecon, it should probably just transition to
that domain, then you would not needs these allow rules.
seutil_domtrans_setfiles(bacula_t)
Then you can remove all relabelto rules.
|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
