bacula-fd and relabelto

Daniel J Walsh dwalsh at redhat.com
Mon Aug 24 10:58:11 UTC 2015 


On 08/23/2015 07:53 AM, Bill shirley wrote:
> After recently upgrading my server to Fedora 22, I ran a bacula
> restore which generated a
> whole bunch of AVCs.  I created a policy and ran another restore which
> generated more
> AVCs.  After looking at the new audit2allow output:
> module my_bacula-fd.more 1.0;
>
> require {
>         type user_home_dir_t;
>         type home_root_t;
>         type user_home_t;
>         type samba_share_t;
>         type bacula_t;
>         class file relabelto;
>         class dir { write relabelto };
> }
>
> #============= bacula_t ==============
>
> #!!!! WARNING: 'home_root_t' is a base type.
> allow bacula_t home_root_t:dir relabelto;
> allow bacula_t samba_share_t:dir relabelto;
> allow bacula_t samba_share_t:file relabelto;
> allow bacula_t user_home_dir_t:dir relabelto;
> allow bacula_t user_home_t:dir write;
>
> #!!!! This avc is a constraint violation.  You would need to modify
> the attributes of either the source or target types to allow this access.
> #Constraint rule:
> #       constrain dir { create relabelfrom relabelto } ((u1 == u2
> -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
>
> #       Possible cause is the source user (system_u) and target user
> (unconfined_u) are different.
> allow bacula_t user_home_t:dir relabelto;
>
> #!!!! This avc is a constraint violation.  You would need to modify
> the attributes of either the source or target types to allow this access.
> #Constraint rule:
> #       constrain file { create relabelfrom relabelto } ((u1 == u2
> -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
>
> #       Possible cause is the source user (system_u) and target user
> (unconfined_u) are different.
> allow bacula_t user_home_t:file relabelto;
>
> I realized I was chasing my tail trying to generate a policy for this.
>
> home_root_t is because I'm restoring a user's home directory and
> bacula-fd has to create
> /bacula/bacula-restores/home.  Also note that I've moved the default
> restore location to
> /bacula/bacula-restores because my first attempt to /tmp filled it up
> and the world stopped.
>
> It seems to me that bacula-fd should run unconfined to that it can
> relabel the files it restores.
> Note, bacula-fd is different that its cousins bacula-dir and bacula-sd
> because those two don't
> need access to everything.
>
> I thought of changing /usr/sbin/bacula-fd to unconfined_t but then if
> bacula-fd is ever upgraded
> it will break again.
>
> What's the best way to handle this?
>
> Bill Shirley
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
If it is running restorecon, it should probably just transition to that
domain, then you would not needs these allow rules.

seutil_domtrans_setfiles(bacula_t)

Then you can remove all relabelto rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150824/7ee7f3fc/attachment.html>

More information about the selinux mailing list