What does if you switch the SELinux mode (which resets AVC cache)
# setenforce 1; setenforce 0
and then re-test it?
Could you also post full raw AVC?
Hi Miroslav,
Thanks for the pointer about resetting the cache, that helped.
After running the backup in permissive mode, I get the following:
type=AVC msg=audit(1428538766.224:2373): avc: denied { execute } for pid=32056
comm="bacula-fd" name="su" dev="dm-0" ino=18110620
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.224:2373): avc: denied { execute_no_trans } for pid=32056
comm="bacula-fd" path="/usr/bin/su" dev="dm-0" ino=18110620
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.343:2374): avc: denied { create } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2375): avc: denied { bind } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2376): avc: denied { compute_av } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=security
type=AVC msg=audit(1428538766.344:2377): avc: denied { create } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc: denied { nlmsg_relay } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc: denied { audit_write } for pid=32056
comm="su" capability=29 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=capability
type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc: denied { passwd } for
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0
tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1428538766.345:2383): avc: denied { setsched } for pid=32056
comm="su" scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:bacula_t:s0 tclass=process
type=AVC msg=audit(1428538766.345:2384): avc: denied { write } for pid=32056
comm="su" name="system_bus_socket" dev="tmpfs" ino=14052
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1428538766.345:2384): avc: denied { connectto } for pid=32056
comm="su" path="/run/dbus/system_bus_socket"
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager
member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0
tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
terminal=?'
type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056
scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0
tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
terminal=?'
type=AVC msg=audit(1428538766.393:2392): avc: denied { write } for pid=32056
comm="su" name="lastlog" dev="dm-0" ino=8572341
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0
tclass=file
type=AVC msg=audit(1428538766.424:2394): avc: denied { execute } for pid=32063
comm="bash" name="hostname" dev="dm-0" ino=16887470
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0
tclass=file
type=AVC msg=audit(1428538766.424:2394): avc: denied { execute_no_trans } for pid=32063
comm="bash" path="/usr/bin/hostname" dev="dm-0" ino=16887470
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0
tclass=file
type=AVC msg=audit(1428538773.500:2395): avc: denied { write } for pid=32056
comm="su" name="system_bus_socket" dev="tmpfs" ino=14052
scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
which generates the following policy:
require {
type su_exec_t;
type system_dbusd_var_run_t;
type security_t;
type system_dbusd_t;
type systemd_logind_t;
type lastlog_t;
type hostname_exec_t;
type bacula_t;
class process setsched;
class unix_stream_socket connectto;
class dbus send_msg;
class capability audit_write;
class passwd passwd;
class netlink_selinux_socket { bind create };
class file { write execute execute_no_trans };
class netlink_audit_socket { nlmsg_relay create };
class sock_file write;
class security compute_av;
}
#============= bacula_t ==============
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;
And after loading this I get the following which was not present initially:
type=AVC msg=audit(1428539366.385:377): avc: denied { execute } for pid=2809
comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0
tclass=file
type=AVC msg=audit(1428539366.386:378): avc: denied { write } for pid=2808
comm="su" name="btmp" dev="dm-0" ino=9085718
scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0
tclass=file
So rebuilding from the new output yields:
require {
type system_dbusd_var_run_t;
type security_t;
type faillog_t;
type chkpwd_exec_t;
type systemd_logind_t;
type hostname_exec_t;
type bacula_t;
type su_exec_t;
type lastlog_t;
type system_dbusd_t;
class process setsched;
class unix_stream_socket connectto;
class dbus send_msg;
class capability audit_write;
class passwd passwd;
class netlink_selinux_socket { bind create };
class file { write execute execute_no_trans };
class netlink_audit_socket { nlmsg_relay create };
class sock_file write;
class security compute_av;
}
#============= bacula_t ==============
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;
Which adds:
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;
However, after removing the old and loading this new policy I get another denial:
type=AVC msg=audit(1428540219.458:501): avc: denied { execute_no_trans } for pid=4309
comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0"
ino=25441120 scontext=system_u:system_r:bacula_t:s0
tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.
Thanks so much for assistance.
jlc