Bacula run scripts with LVM and SElinux

Support for security such as Firewalls and securing linux
Post Reply
curaasan
Posts: 3
Joined: 2018/10/07 20:02:30

Bacula run scripts with LVM and SElinux

Post by curaasan » 2018/10/07 20:36:39

Hi there

I have a problem using Bacula run scripts (run before and after job)
The bacula's server tries to backup a CentOS client with LVM volumes.
During backup Bacula runs (on the client side) a script which takes LVM snapshots of backuping volumes.
On the client side SElinux is switched to enforcing and setroubleshoot and setroubleshoot-server are installed.
I've already managed with all the SElinux access issues, now there is no SElinux information during backup in /var/log/messages

The issue is that I got in the SERVER's bacula.log:

Code: Select all

07-oct 21:55 client-fd JobId 18770: ClientBeforeJob:   /run/lock/lvm: setfscreatecon failed: Permission denied
07-oct 21:55 client-fd JobId 18770: ClientBeforeJob:   SELinux context reset: setfscreatecon failed: Permission denied
The server has SElinux disabled.

It seems to me that SElinux doesn't like the run context of bacula (bacula_t) mixed with context od /run/lock/lvm (lvm_t)
I don't know how to solve this issue.

Client :

Code: Select all

[root]# uname -a
Linux client 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[root]# rpm -qa | grep bacula
bacula-common-5.2.13-23.1.el7.x86_64
bacula-libs-5.2.13-23.1.el7.x86_64
bacula-client-5.2.13-23.1.el7.x86_64

[root]# rpm -qa | grep selinux
selinux-policy-3.13.1-192.el7_5.6.noarch
selinux-policy-targeted-3.13.1-192.el7_5.6.noarch

User avatar
TrevorH
Forum Moderator
Posts: 23906
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bacula run scripts with LVM and SElinux

Post by TrevorH » 2018/10/08 00:05:08

Try disabling the dontaudit rules on the client by running semodule -DB, recreate the problem, run semodule -B to re-enable the dontaudit rules then go look at the audit log again. Oh, and do it all in permissive mode too to make sure you catch all of the audit log entries in one go so run setenforce 0 as well as semodule -DB.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

curaasan
Posts: 3
Joined: 2018/10/07 20:02:30

Re: Bacula run scripts with LVM and SElinux

Post by curaasan » 2018/10/08 07:21:31

Thanks! You helped :-)
Could you please explain me why it doesn't show anything about it in audit log before I execute semodule -DB? Moreover I got plenty of audit messages at the very begging - after using your advice it only catch one specific message complaing about lvm. I don't get it :-/

User avatar
TrevorH
Forum Moderator
Posts: 23906
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Bacula run scripts with LVM and SElinux

Post by TrevorH » 2018/10/08 07:31:13

There are many selinux denials that don't really affect anything in normal operation and rather than flood the logs with them, they are "dontaudit"ed which stops them from being logged.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

curaasan
Posts: 3
Joined: 2018/10/07 20:02:30

Re: Bacula run scripts with LVM and SElinux

Post by curaasan » 2018/10/08 07:38:31

Thanks once again! I have to write it down and stick to my monitor :-)

Post Reply