On 5/1/2015 2:18 AM, Kern Sibbald wrote: > Hello, > > Concerning SELinux: I tried running with SELinux for awhile quite a > long time ago, and it turned out to be more painful than useful, so I > turned it off. I had turned it on to learn it and to write Bacula > policies, but never got that far.
I've had the same experience with it after more than one attempt. The crux of the issue is that a backup app like Bacula is anti-SELinux by nature, since it must have read/write access to every single file on the system. At least, that is the case for the client daemon. SELinux even blocks the root user. Even the Dir daemon has features unfriendly to SELinux, like RunScript, that are nevertheless important and essential capabilities. IMHO, the real issue is that SELinux does not have its own errno values. Since it is another layer of access permissions, separate from filesystem permissions, an SELinux denial should never return EACCES, as that has always meant a filesystem permissions denial. If there were errno value(s) specific to SELinux, then apps could warn that "SELinux is preventing access to ...". Granted, SELinux has yet another API for checking SELinux access permissions, but it far easier for apps to add an error message for a specific errno than to incorporate yet another API, so many devs do not bother. This leaves the user with insufficient feedback. Worse, the mapping to existing errno values is not always 1-to-1 and can cause an app's error reporting to actively mislead the user. This is what leads to an app reporting "file not found" when it should be reporting "file exists, but SELinux doesn't allow you to see it". > > That said: since Bacula is part of the RedHat release, it is very likely > that they already have policies for Bacula that might work for you. If > not, I know that they have policies (or had policies) for Amanda, and > that might also be a good starting point as the needs of the programs > are similar. > > If someone does have SELinux policies for Bacula, I would appreciate if > you would contribute them to the community. > > Best regards, > Kern Fedora maintainer Simone Caronni frequents thie bacula-users list and likely knows the answer to that. > > On 01.05.2015 04:40, Frank Sweetser wrote: >> A full solution would be to write an selinux policy, either on your own >> (search for Dan Walsh, he has some excellent selinux troubleshooting guides) >> or by opening a bug report with RedHat. For a temporary solution, you can >> briefly bypass selinux with the command >> >> setenforce 0 >> >> This will let you run your restore. >> >> Frank Sweetser fs at wpi.edu | For every problem, there is a solution >> that >> Manager of Network Operations | is simple, elegant, and wrong. >> Worcester Polytechnic Institute | - HL Mencken >> >> On 4/30/2015 6:25 PM, Craig Shiroma wrote: >>> Hi Frank, >>> >>> Thank you very much for the info! Yes, this is a RHEL 6.6 box that I'm >>> trying >>> to restore to. After using Romeo's check, it seems selinux is blocking the >>> restore. >>> >>> Is there a best practice for dealing with this situation? >>> >>> Thanks again, >>> -craig >>> >>> >>> On Thu, Apr 30, 2015 at 4:06 AM, Frank Sweetser <f...@wpi.edu >>> <mailto:f...@wpi.edu>> wrote: >>> >>> >>> Is this a RedHat/CentOS box? They've recently made some changes to the >>> selinux configuration around bacula which prevents it from taking >>> pretty much >>> any action other thank backups, including running scripts or creating >>> files. >>> >>> Frank Sweetser fs at wpi.edu <http://wpi.edu> | For every problem, >>> there is a solution that >>> Manager of Network Operations | is simple, elegant, and wrong. >>> Worcester Polytechnic Institute | - HL Mencken >>> >>> On 4/29/2015 9:01 PM, Craig Shiroma wrote: >>> > Hello, >>> > >>> > I'm trying to a restore file to a different host's /tmp. I've >>> select the >>> > target host by changing the value of Restore Client during the >>> restore >>> > process, selecting the desired target host to restore to from the >>> hosts >>> list >>> > presented. However, when I attempt the restore, I get the >>> following error >>> > message: >>> > >>> > 2015-04-29 14:30:09<target_hostname> JobId 83765: Error: >>> makepath.c:142 >>> Cannot >>> > create directory /tmp/etc: ERR=Permission denied >>> > >>> > Any idea what could be causing the problem? Restoring to the source >>> host is >>> > no problem. >>> > >>> > Note: I replaced the actual hostname with "<target_hostname>" in >>> the above >>> > error message. >>> > >>> > Thanks in advance, >>> > >>> > -Craig >>> > >>> > >>> > >>> > >>> >>> ------------------------------------------------------------------------------ >>> > One dashboard for servers and applications across >>> Physical-Virtual-Cloud >>> > Widest out-of-the-box monitoring support with 50+ applications >>> > Performance metrics, stats and reports that give you Actionable >>> Insights >>> > Deep dive visibility with transaction tracing using APM Insight. >>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> > >>> > >>> > >>> > _______________________________________________ >>> > Bacula-users mailing list >>> > Bacula-users@lists.sourceforge.net >>> <mailto:Bacula-users@lists.sourceforge.net> >>> > https://lists.sourceforge.net/lists/listinfo/bacula-users >>> > >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications across >>> Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support with 50+ applications >>> Performance metrics, stats and reports that give you Actionable >>> Insights >>> Deep dive visibility with transaction tracing using APM Insight. >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> _______________________________________________ >>> Bacula-users mailing list >>> Bacula-users@lists.sourceforge.net >>> <mailto:Bacula-users@lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/bacula-users >>> >>> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> Bacula-users mailing list >> Bacula-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bacula-users >> > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
