bacula-fd and relabelto

Bill shirley bill at bigcdrugs.biz
Sun Aug 23 11:53:42 UTC 2015 

After recently upgrading my server to Fedora 22, I ran a bacula restore which generated a
whole bunch of AVCs.  I created a policy and ran another restore which generated more
AVCs.  After looking at the new audit2allow output:
module my_bacula-fd.more 1.0;

require {
         type user_home_dir_t;
         type home_root_t;
         type user_home_t;
         type samba_share_t;
         type bacula_t;
         class file relabelto;
         class dir { write relabelto };
}

#============= bacula_t ==============

#!!!! WARNING: 'home_root_t' is a base type.
allow bacula_t home_root_t:dir relabelto;
allow bacula_t samba_share_t:dir relabelto;
allow bacula_t samba_share_t:file relabelto;
allow bacula_t user_home_dir_t:dir relabelto;
allow bacula_t user_home_t:dir write;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow 
this access.
#Constraint rule:
#       constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); 
Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow bacula_t user_home_t:dir relabelto;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow 
this access.
#Constraint rule:
#       constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); 
Constraint DENIED

#       Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow bacula_t user_home_t:file relabelto;

I realized I was chasing my tail trying to generate a policy for this.

home_root_t is because I'm restoring a user's home directory and bacula-fd has to create
/bacula/bacula-restores/home.  Also note that I've moved the default restore location to
/bacula/bacula-restores because my first attempt to /tmp filled it up and the world stopped.

It seems to me that bacula-fd should run unconfined to that it can relabel the files it restores.
Note, bacula-fd is different that its cousins bacula-dir and bacula-sd because those two don't
need access to everything.

I thought of changing /usr/sbin/bacula-fd to unconfined_t but then if bacula-fd is ever upgraded
it will break again.

What's the best way to handle this?

Bill Shirley

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150823/ffe899bf/attachment.html>

More information about the selinux mailing list