Ismael,
That is a strange problem. I would guess that the bacula packages installed
in fedora are not 'selinux aware' and aren't setting the correct contexts
for you.
I am running bacula 13.0.3 and 15.0.2 on multiple rocky linux 9.x based
machines. Rocky linux is based on RHEL (as I am sure you know). I didn't
have to do anything special for my setups involving selinux. I checked, and
there doesn't appear to be a special bacula-selinux package on the systems
running bacula 13.0.x or 15.0.2.
Where did you get your bacula FD package for fedora? My bacula is installed
from the bacula community repositories. Usually, the packages from the
system repositories are considerably older. I recommend using the bacula
community repositories.
Also, if you run a bacula daemon as root, you might make a big mess. It
will set the bacula PID files to be owned by root, and then when you try to
launch bacula as user bacula again, you will have additional problems
because the PID files will now have permissions that the bacula user can't
touch. The default location for these PID files is /opt/bacula/working, but
your install location may be different. There may be other files 'touched'
by bacula in the working directory that could have permissions changed. I'm
not sure. I just know I've read about others on this list running into that
problem, and I remember I did this very early on as a new bacula user.
To troubleshoot turning off selinux enforcement, the following commands
might be useful:
temporarily turn off selinux enforcement:
sudo setenforce 0 # set to 'permissive', or 'selinux-disabled' mode
turn selinux enforcement back on:
sudo setenforce 1 # set to 'enforcing' or 'selinux-enabled' mode
check the status of selinux enforcement
getenforce
overall, while you could troubleshoot and attempt to discover which selinux
contexts you need to set in order to make your FD work with Fedora with
selinux enforcing, I recommend you instead find out how to apply the bacula
packages that correctly configure selinux out of the box. As far as I can
tell, the bacula 13.0.x and 15.0.x packages seem to do this flawlessly.
Reminder that bacula-dir and bacula-sd must be the same version, and
bacula-fd can be the same version as dir/sd, or lower version.
Regards,
Robert Gerber
402-237-8692
r...@craeon.net
On Sun, May 11, 2025 at 10:01 AM Ismael Matos <iabma...@gmail.com> wrote:
> Hello everyone,
>
> I'm not a Linuix expert and need some help. I'm adding a new server to my
> little home LAN based on Ubuntu, with Bacula running without problems. I'm
> keeping all software packages on the most up-to-date versions.
>
> This new server is adding Fedora/SELinux (plus FreeIPA and QEMU/Libvirt/Virt
> Manager) to the mix.
>
> I've installed Bacula on this server and only enabled bacula-fd so far.
> I've added the new Client, FileSet and Job to the bacula-dir.conf.
>
> BUT I'm stumbling with lots of access violations even running bacula
> service as root.
>
> So, I'm after some suggestions or recommendations for the Bacula and
> SELinux configurations.
>
> Many thanks in advance.
>
> Cheers
>
> Ismael
>
> ---
> Here are some messages from the /var/log/audit/audit.log:
>
> type=AVC msg=audit(1746922631.355:1339): avc: denied { execute } for
> pid=10412 comm="sh" name="virsh" dev="sda3" ino=1247631 scontex
> t=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:virsh_exec_t:s0
> tclass=file permissive=0
> type=AVC msg=audit(1746922631.355:1340): avc: denied { execute } for
> pid=10412 comm="sh" name="virsh" dev="sda3" ino=1247631 scontex
> t=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:virsh_exec_t:s0
> tclass=file permissive=0
> type=AVC msg=audit(1746922631.360:1341): avc: denied { read } for
> pid=10118 comm="bacula-fd" name="net" dev="proc" ino=4026531845 sc
> ontext=system_u:system_r:bacula_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
> type=AVC msg=audit(1746922631.465:1342): avc: denied { execute } for
> pid=10416 comm="cleanup" name="dnf5" dev="sda3" ino=1158689 sco
> ntext=system_u:system_r:bacula_t:s0
> tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1746922631.466:1343): avc: denied { execute } for
> pid=10420 comm="cleanup" name="dnf5" dev="sda3" ino=1158689 sco
> ntext=system_u:system_r:bacula_t:s0
> tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1746922631.466:1344): avc: denied { execute } for
> pid=10420 comm="cleanup" name="dnf5" dev="sda3" ino=1158689 sco
> ntext=system_u:system_r:bacula_t:s0
> tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1746922631.466:1345): avc: denied { execute } for
> pid=10416 comm="cleanup" name="journalctl" dev="sda3" ino=11533
> 46 scontext=system_u:system_r:bacula_t:s0
> tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1746922631.466:1346): avc: denied { execute } for
> pid=10421 comm="cleanup" name="journalctl" dev="sda3" ino=11533
> 46 scontext=system_u:system_r:bacula_t:s0
> tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1746922631.466:1347): avc: denied { execute } for
> pid=10421 comm="cleanup" name="journalctl" dev="sda3" ino=11533
> 46 scontext=system_u:system_r:bacula_t:s0
> tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1746922631.468:1348): avc: denied { getattr } for
> pid=10422 comm="find" name="/" dev="tmpfs" ino=1 scontext=syste
> m_u:system_r:bacula_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
> tclass=filesystem permissive=0
>
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
