Hey SimoneThank you for your input I followed your instructions and I was able to fix (*some of) the SELinux <https://danwalsh.livejournal.com/24750.html>errors with "audit2allow <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html>" backup/restore seems to be working again I will continue testing and see if I encounter any more problems.
Things was not as easy or as straight forward as you presented it but after a lots of reading on SELinux and "audit2allow <http://selinuxproject.org/page/Audit2allowRecipe>" and countless trial and errors I was able to fix my backup/restore problems. For some reason most of the problems seems to be related to bacula-sd wanting to read,write,etc on files and directory, I will continue watch and update you.
Thanks Again On 11/10/2014 09:45 AM, Simone Caronni wrote:
It's a difficult topic but it's very rewarding :) My suggestion is, assuming you have the system in SELinux enforcing mode: - Install "policycoreutils-python" for SELinux debugging tools- Ask for relabeling of the system (fixfiles onboot) & reboot to let the actual relabel happen- Stop Bacula daemons - Clear files in /var/log/audit/ - Set system in permissive mode (setenforce 0) - Start bacula and do whatever you need to test- Launch "audit2allow -a" or look directly in "/var/log/audit/audit.log" for hints- Fix what you need to fix and re-enable SELinux (setenforce 1) Redhat SELinux administration's guide for RHEL 7/6: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html Regards, --SimoneOn 10 November 2014 15:10, Humphrey Bryant <hbry...@fogadaley.com <mailto:hbry...@fogadaley.com>> wrote:Hey Simone, Thanks for the reply, indeed you are right its not related to bacula but I was just trying to get some feedback from other users who might have experienced this issue. I don’t really know where to start debugging SELINUX so i guess I have some reading to do. I will have a look on the Red Hat Docs but If you know any useful SELINUX links please email me some, thanks much. Regards On 11/09/2014 04:27 AM, Simone Caronni wrote: Hello, you should do some debugging on the SELinux side, this is not related to Bacula. It is too complicated to explain by mail, Redhat docs are very good in this regard. On Fri, 2014-11-07 at 13:06 -0500, Humphrey Bryant wrote: I check, recheck and double check all permissions on my volumes/files and directory and everything was OK but when i run the backup they still hang nonetheless. It was after I temporarily disabled SELINUX backup start working again, so I am of the conclusion that SELINUX is at fault here.. I need some help getting SELINUX to play nice with Bacula on CENTOS 6.6, can anyone here help me out please. any one can help me create a policy or something, I don’t want to upgrade my production server and have this same problem. First of all, you can try to relabel your filesystem in case you have some mislabeled file; as root do "fixfiles onboot" and reboot the system. Second, you can delete all files in "/var/log/audit/" and make the problem reappear, so you can debug the SELinux permission problems with "audit2allow -a" or by looking directly at a clean "/var/log/audit/audit.log" file. Then, it's worth saying that "/backup" is not a path that is part of SELinux labels. It is not a problem by itself (it should work anyway) but my suggestion is to use "/bacula/" as the path for your backups. # semanage fcontext -l | grep bacula /bacula(/.*)? all files system_u:object_r:bacula_store_t:s0 /etc/bacula.* all files system_u:object_r:bacula_etc_t:s0 /etc/rc\.d/init\.d/bacula.* regular file system_u:object_r:bacula_initrc_exec_t:s0 /usr/sbin/bacula.* regular file system_u:object_r:bacula_exec_t:s0 /usr/sbin/bat regular file system_u:object_r:bacula_admin_exec_t:s0 /usr/sbin/bconsole regular file system_u:object_r:bacula_admin_exec_t:s0 /var/lib/bacula.* all files system_u:object_r:bacula_var_lib_t:s0 /var/log/bacula.* all files system_u:object_r:bacula_log_t:s0 /var/run/bacula.* regular file system_u:object_r:bacula_var_run_t:s0 /var/spool/bacula.* all files system_u:object_r:bacula_spool_t:s0 /var/spool/bacula/log(/.*)? all files system_u:object_r:var_log_t:s0 Regards, --Simone-- Best RegardsHumphrey Bryant Information System Admin Foga Daley Attorneys-at-Law 7 Stanton Terrace Kingston 6 Tel - (876) 927-4371-5 Fax - (876) 927-5081 This E-mail contains information which is confidential and privileged. Unless you are the addressee (or authorised to receive for the addressee), you may not use, copy or disclose to anyone the message or information contained in it. If you have received this e-mail in error, please destroy it and advise the sender. --You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson).http://xkcd.com/229/ http://negativo17.org/
-- Best Regards Humphrey Bryant Information System Admin Foga Daley Attorneys-at-Law 7 Stanton Terrace Kingston 6 Tel - (876) 927-4371-5 Fax - (876) 927-5081 This E-mail contains information which is confidential and privileged. Unless you are the addressee (or authorised to receive for the addressee), you may not use, copy or disclose to anyone the message or information contained in it. If you have received this e-mail in error, please destroy it and advise the sender.
<<attachment: hbryant.vcf>>
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
