Re: bacula-fd and relabelto

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 08/23/2015 07:53 AM, Bill shirley wrote:
After recently upgrading my server to Fedora 22, I ran a bacula restore which generated a
whole bunch of AVCs.  I created a policy and ran another restore which generated more
AVCs.  After looking at the new audit2allow output:
module my_bacula-fd.more 1.0;

require {
        type user_home_dir_t;
        type home_root_t;
        type user_home_t;
        type samba_share_t;
        type bacula_t;
        class file relabelto;
        class dir { write relabelto };
}

#============= bacula_t ==============

#!!!! WARNING: 'home_root_t' is a base type.
allow bacula_t home_root_t:dir relabelto;
allow bacula_t samba_share_t:dir relabelto;
allow bacula_t samba_share_t:file relabelto;
allow bacula_t user_home_dir_t:dir relabelto;
allow bacula_t user_home_t:dir write;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
#       constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow bacula_t user_home_t:dir relabelto;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
#       constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow bacula_t user_home_t:file relabelto;

I realized I was chasing my tail trying to generate a policy for this.

home_root_t is because I'm restoring a user's home directory and bacula-fd has to create
/bacula/bacula-restores/home.  Also note that I've moved the default restore location to
/bacula/bacula-restores because my first attempt to /tmp filled it up and the world stopped.

It seems to me that bacula-fd should run unconfined to that it can relabel the files it restores.
Note, bacula-fd is different that its cousins bacula-dir and bacula-sd because those two don't
need access to everything.

I thought of changing /usr/sbin/bacula-fd to unconfined_t but then if bacula-fd is ever upgraded
it will break again.

What's the best way to handle this?

Bill Shirley



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
If it is running restorecon, it should probably just transition to that domain, then you would not needs these allow rules.

seutil_domtrans_setfiles(bacula_t)

Then you can remove all relabelto rules.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux