CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

Bacula run scripts with LVM and SElinux

https://forums.centos.org/viewtopic.php?f=51&t=68431

Page 1 of 1

Bacula run scripts with LVM and SElinux

Posted: 2018/10/07 20:36:39
by curaasan
Hi there

I have a problem using Bacula run scripts (run before and after job)
The bacula's server tries to backup a CentOS client with LVM volumes.
During backup Bacula runs (on the client side) a script which takes LVM snapshots of backuping volumes.
On the client side SElinux is switched to enforcing and setroubleshoot and setroubleshoot-server are installed.
I've already managed with all the SElinux access issues, now there is no SElinux information during backup in /var/log/messages

The issue is that I got in the SERVER's bacula.log:

Code: Select all

07-oct 21:55 client-fd JobId 18770: ClientBeforeJob:   /run/lock/lvm: setfscreatecon failed: Permission denied
07-oct 21:55 client-fd JobId 18770: ClientBeforeJob:   SELinux context reset: setfscreatecon failed: Permission denied
The server has SElinux disabled.

It seems to me that SElinux doesn't like the run context of bacula (bacula_t) mixed with context od /run/lock/lvm (lvm_t)
I don't know how to solve this issue.

Client :

Code: Select all

[root]# uname -a
Linux client 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[root]# rpm -qa | grep bacula
bacula-common-5.2.13-23.1.el7.x86_64
bacula-libs-5.2.13-23.1.el7.x86_64
bacula-client-5.2.13-23.1.el7.x86_64

[root]# rpm -qa | grep selinux
selinux-policy-3.13.1-192.el7_5.6.noarch
selinux-policy-targeted-3.13.1-192.el7_5.6.noarch

Re: Bacula run scripts with LVM and SElinux

Posted: 2018/10/08 00:05:08
by TrevorH
Try disabling the dontaudit rules on the client by running semodule -DB, recreate the problem, run semodule -B to re-enable the dontaudit rules then go look at the audit log again. Oh, and do it all in permissive mode too to make sure you catch all of the audit log entries in one go so run setenforce 0 as well as semodule -DB.

Re: Bacula run scripts with LVM and SElinux

Posted: 2018/10/08 07:21:31
by curaasan
Thanks! You helped :-)
Could you please explain me why it doesn't show anything about it in audit log before I execute semodule -DB? Moreover I got plenty of audit messages at the very begging - after using your advice it only catch one specific message complaing about lvm. I don't get it :-/

Re: Bacula run scripts with LVM and SElinux

Posted: 2018/10/08 07:31:13
by TrevorH
There are many selinux denials that don't really affect anything in normal operation and rather than flood the logs with them, they are "dontaudit"ed which stops them from being logged.

Re: Bacula run scripts with LVM and SElinux

Posted: 2018/10/08 07:38:31
by curaasan
Thanks once again! I have to write it down and stick to my monitor :-)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited