On Sunday 2016-11-06 21:45:00 Tim Dunphy wrote: > hey guys, > > Running into an issue with SELinux on my bacula server. > > With selinux turned on, I can't write to the backup directory. > > This is what I get when I try: > > [root@ops:~] #getenforce > Enforcing > > Connecting to Storage daemon File at ops.example.com:9103 ... > Sending label command for Volume "jf-backup-tape-0002" Slot 0 ... > 3910 Unable to open device ""FileStorage" (/backup/tapes)": > ERR=file_dev.c:172 Could not > open(/backup/tapes/jf-backup-tape-0002,CREATE_READ_WRITE,0640): > ERR=Permission denied > > Label command failed for Volume jf-backup-tape-0002. > Do not forget to mount the drive!!! > > With selinux turned off it's no problem: > > [root@ops:~] #getenforce > Permissive > > Connecting to Storage daemon File at ops.example.com:9103 ... > Sending label command for Volume "jf-backup-tape-0002" Slot 0 ... > 3000 OK label. VolBytes=208 DVD=0 Volume="jf-backup-tape-0002" > Device="FileStorage" (/backup/tapes) > Catalog record for Volume "jf-backup-tape-0002", Slot 0 successfully > created. > Requesting to mount FileStorage ... > 3001 OK mount requested. Device="FileStorage" (/backup/tapes) > You have messages. > > I tried running these commands to leave SELinux on in order to get > backups working properly: > > semanage fcontext -a -t bacula_var_run_t '/backup/tapes(/.*)?' > > restorecon -R -v /backup/tapes > > However that made no difference. Still can't write to the directory > after running those commands. > > Any thoughts? > > Thanks, > Tim
Hi Tim! Sorry for not replying to you with a concrete solution but this is more selinux than bacula problem. One solution would be to properly configure the backup directory for selinux to allow bacula to write there but for that you will have to study selinux which is highly recommended anyway since you have decided to keep using selinux. I stopped using selinux long time ago so I don't remember names of the commands any more but there is another way of fixing it. You should find the exact problem in the logs inside /var/log directory. You can then use that logs to feed some selinux related command which will come up with a module which then can be compiled and loaded into the system (this is selinux module, not a kernel module). But let me bring something to think about. It is usually (actually in all cases) imperative to use a dedicated server for the backup service. That means that you probably have a dedicated server that runs only bacula (if not, try to change that as soon as possible). In that case the only thing that needs to listen for connections on the server is the bacula storage daemon and it doesn't have to run as root (I would recommend that you configure it to run as an unprivileged user which is a good practice for all network services whenever possible). That means that bacula storage daemon should be able to write only to the backup directory and you don't need selinux to ensure that. The old good system of unix permissions will take care of it. Thus in case of a breach through the bacula storage daemon the damage will be limited to the backup directory and its content. In case you use selinux you wouldn't achieve much more than that and you would also lose your backup data to the attacker. In any case I would recommend dumping selinux completely if possible. Most system administrators tend to disable selinux immediately after the linux installation as it is proven to be unstable, unreliable, too complex to maintain, brings unneeded overhead, the constant source of trouble and server nurturing and of course the fact that it was written by the NSA doesn't help either. If you really need the level of security selinux claims to provide then look for the alternatives which are better in all regards but unfortunately aren't available on many systems by default. -- Josip Deanovic ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
