bacula-fd and relabelto
Bill shirley
bill at bigcdrugs.biz
Sun Aug 23 11:53:42 UTC 2015
After recently upgrading my server to Fedora 22, I ran a bacula restore which generated a
whole bunch of AVCs. I created a policy and ran another restore which generated more
AVCs. After looking at the new audit2allow output:
module my_bacula-fd.more 1.0;
require {
type user_home_dir_t;
type home_root_t;
type user_home_t;
type samba_share_t;
type bacula_t;
class file relabelto;
class dir { write relabelto };
}
#============= bacula_t ==============
#!!!! WARNING: 'home_root_t' is a base type.
allow bacula_t home_root_t:dir relabelto;
allow bacula_t samba_share_t:dir relabelto;
allow bacula_t samba_share_t:file relabelto;
allow bacula_t user_home_dir_t:dir relabelto;
allow bacula_t user_home_t:dir write;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow
this access.
#Constraint rule:
# constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) );
Constraint DENIED
# Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow bacula_t user_home_t:dir relabelto;
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow
this access.
#Constraint rule:
# constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) );
Constraint DENIED
# Possible cause is the source user (system_u) and target user (unconfined_u) are different.
allow bacula_t user_home_t:file relabelto;
I realized I was chasing my tail trying to generate a policy for this.
home_root_t is because I'm restoring a user's home directory and bacula-fd has to create
/bacula/bacula-restores/home. Also note that I've moved the default restore location to
/bacula/bacula-restores because my first attempt to /tmp filled it up and the world stopped.
It seems to me that bacula-fd should run unconfined to that it can relabel the files it restores.
Note, bacula-fd is different that its cousins bacula-dir and bacula-sd because those two don't
need access to everything.
I thought of changing /usr/sbin/bacula-fd to unconfined_t but then if bacula-fd is ever upgraded
it will break again.
What's the best way to handle this?
Bill Shirley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150823/ffe899bf/attachment.html>
More information about the selinux
mailing list