<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 08/23/2015 07:53 AM, Bill shirley
wrote:<br>
</div>
<blockquote cite="mid:55D9B446.3070104@bigcdrugs.biz" type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
After recently upgrading my server to Fedora 22, I ran a bacula
restore which generated a<br>
whole bunch of AVCs. I created a policy and ran another restore
which generated more<br>
AVCs. After looking at the new audit2allow output:<br>
<font color="#993300">module my_bacula-fd.more 1.0;<br>
<br>
require {<br>
type user_home_dir_t;<br>
type home_root_t;<br>
type user_home_t;<br>
type samba_share_t;<br>
type bacula_t;<br>
class file relabelto;<br>
class dir { write relabelto };<br>
}<br>
<br>
#============= bacula_t ==============<br>
<br>
#!!!! WARNING: 'home_root_t' is a base type.<br>
allow bacula_t home_root_t:dir relabelto;<br>
allow bacula_t samba_share_t:dir relabelto;<br>
allow bacula_t samba_share_t:file relabelto;<br>
allow bacula_t user_home_dir_t:dir relabelto;<br>
allow bacula_t user_home_t:dir write;<br>
<br>
#!!!! This avc is a constraint violation. You would need to
modify the attributes of either the source or target types to
allow this access.<br>
#Constraint rule:<br>
# constrain dir { create relabelfrom relabelto } ((u1 ==
u2 -Fail-) or (t1 == can_change_object_identity -Fail-) );
Constraint DENIED<br>
<br>
# Possible cause is the source user (system_u) and target
user (unconfined_u) are different.<br>
allow bacula_t user_home_t:dir relabelto;<br>
<br>
#!!!! This avc is a constraint violation. You would need to
modify the attributes of either the source or target types to
allow this access.<br>
#Constraint rule:<br>
# constrain file { create relabelfrom relabelto } ((u1 ==
u2 -Fail-) or (t1 == can_change_object_identity -Fail-) );
Constraint DENIED<br>
<br>
# Possible cause is the source user (system_u) and target
user (unconfined_u) are different.<br>
allow bacula_t user_home_t:file relabelto;<br>
</font><br>
I realized I was chasing my tail trying to generate a policy for
this.<br>
<br>
home_root_t is because I'm restoring a user's home directory and
bacula-fd has to create<br>
/bacula/bacula-restores/home. Also note that I've moved the
default restore location to<br>
/bacula/bacula-restores because my first attempt to /tmp filled it
up and the world stopped.<br>
<br>
It seems to me that bacula-fd should run unconfined to that it can
relabel the files it restores.<br>
Note, bacula-fd is different that its cousins bacula-dir and
bacula-sd because those two don't<br>
need access to everything.<br>
<br>
I thought of changing /usr/sbin/bacula-fd to unconfined_t but then
if bacula-fd is ever upgraded<br>
it will break again.<br>
<br>
What's the best way to handle this?<br>
<br>
Bill Shirley<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
If it is running restorecon, it should probably just transition to
that domain, then you would not needs these allow rules.<br>
<br>
seutil_domtrans_setfiles(bacula_t)<br>
<br>
Then you can remove all relabelto rules.<br>
</body>
</html>