Hi Rob,
I've just followed you suggestion to suspend SELinux and that helped a lot:
*sudo setenforce 0* # set to 'permissive', or
'selinux-disabled' mode
Bacula-fd service is now working fine and I've managed to get regular
backups from the new server. I'm busy installing all the packages I need
and get everything working. Later I'll try to enable SELinux and fix the
access violations .
Many thanks,
Ismael
On Sun, 11 May 2025 at 16:22, Rob Gerber <r...@craeon.net> wrote:
> Because you ran a bacula service as root, and to help you correct issues
> caused by that:
>
> Here is one of my /opt/bacula/working folders, to help you find your
> folder on fedora.
> You can troubleshoot permissions issues with the files in the working
> directory this way.
>
> [root@td-bacula ~]# ls -lah /opt/bacula/working/ | grep -v mail
> total 172K
> drwxrwx---+ 2 root bacula 4.0K May 11 11:11 .
> drwxrwxr-x+ 10 root root 108 Nov 18 12:54 ..
> -rw-r-----. 1 bacula bacula 2.2K May 10 23:59 bacula-dir.9101.state
> -rw-r-----. 1 root bacula 2.2K May 9 20:06 bacula-fd.9102.state
> -rw-r-----. 1 bacula bacula 7 May 9 16:24 bacula-sd.9103.pid
> -rw-r-----. 1 bacula bacula 2.2K May 10 00:11 bacula-sd.9103.state
> -rw-------. 1 bacula bacula 370 Apr 9 08:12 .bconsole_history
> -rw-r-----. 1 bacula bacula 117 Feb 27 11:06 key-manager.log
> -rw-------. 1 bacula bacula 20 Feb 24 11:19 .lesshst
> -rw-rwx---+ 1 bacula bacula 9.9K May 11 10:24 td-bacula-dir.conmsg
> -rw-------. 1 bacula bacula 8.3K May 4 15:53 .viminfo
>
> I think if you do this command you should definitely locate the correct
> folder for your system.
> sudo find / -type f | grep bacula-fd.9102.state
>
> If that doesn't work, change the filename 'bacula-fd.9102.state' to match
> one of the other filenames on the list.
>
> Check the permissions in your working folder, wherever it is, and make
> them match what you see here, especially for .state and .pid files.
>
> Regards,
> Robert Gerber
> 402-237-8692
> r...@craeon.net
>
>
> On Sun, May 11, 2025 at 11:05 AM Rob Gerber <r...@craeon.net> wrote:
>
>> Ismael,
>>
>> That is a strange problem. I would guess that the bacula packages
>> installed in fedora are not 'selinux aware' and aren't setting the correct
>> contexts for you.
>>
>> I am running bacula 13.0.3 and 15.0.2 on multiple rocky linux 9.x based
>> machines. Rocky linux is based on RHEL (as I am sure you know). I didn't
>> have to do anything special for my setups involving selinux. I checked, and
>> there doesn't appear to be a special bacula-selinux package on the systems
>> running bacula 13.0.x or 15.0.2.
>>
>> Where did you get your bacula FD package for fedora? My bacula is
>> installed from the bacula community repositories. Usually, the packages
>> from the system repositories are considerably older. I recommend using the
>> bacula community repositories.
>>
>> Also, if you run a bacula daemon as root, you might make a big mess. It
>> will set the bacula PID files to be owned by root, and then when you try to
>> launch bacula as user bacula again, you will have additional problems
>> because the PID files will now have permissions that the bacula user can't
>> touch. The default location for these PID files is /opt/bacula/working, but
>> your install location may be different. There may be other files 'touched'
>> by bacula in the working directory that could have permissions changed. I'm
>> not sure. I just know I've read about others on this list running into that
>> problem, and I remember I did this very early on as a new bacula user.
>>
>> To troubleshoot turning off selinux enforcement, the following commands
>> might be useful:
>>
>> temporarily turn off selinux enforcement:
>> sudo setenforce 0 # set to 'permissive', or 'selinux-disabled' mode
>>
>> turn selinux enforcement back on:
>> sudo setenforce 1 # set to 'enforcing' or 'selinux-enabled' mode
>>
>> check the status of selinux enforcement
>> getenforce
>>
>> overall, while you could troubleshoot and attempt to discover which
>> selinux contexts you need to set in order to make your FD work with Fedora
>> with selinux enforcing, I recommend you instead find out how to apply the
>> bacula packages that correctly configure selinux out of the box. As far as
>> I can tell, the bacula 13.0.x and 15.0.x packages seem to do this
>> flawlessly.
>>
>> Reminder that bacula-dir and bacula-sd must be the same version, and
>> bacula-fd can be the same version as dir/sd, or lower version.
>>
>>
>> Regards,
>> Robert Gerber
>> 402-237-8692
>> r...@craeon.net
>>
>>
>> On Sun, May 11, 2025 at 10:01 AM Ismael Matos <iabma...@gmail.com> wrote:
>>
>>> Hello everyone,
>>>
>>> I'm not a Linuix expert and need some help. I'm adding a new server to
>>> my little home LAN based on Ubuntu, with Bacula running without problems.
>>> I'm
>>> keeping all software packages on the most up-to-date versions.
>>>
>>> This new server is adding Fedora/SELinux (plus FreeIPA and QEMU/Libvirt/Virt
>>> Manager) to the mix.
>>>
>>> I've installed Bacula on this server and only enabled bacula-fd so far.
>>> I've added the new Client, FileSet and Job to the bacula-dir.conf.
>>>
>>> BUT I'm stumbling with lots of access violations even running bacula
>>> service as root.
>>>
>>> So, I'm after some suggestions or recommendations for the Bacula and
>>> SELinux configurations.
>>>
>>> Many thanks in advance.
>>>
>>> Cheers
>>>
>>> Ismael
>>>
>>> ---
>>> Here are some messages from the /var/log/audit/audit.log:
>>>
>>> type=AVC msg=audit(1746922631.355:1339): avc: denied { execute } for
>>> pid=10412 comm="sh" name="virsh" dev="sda3" ino=1247631 scontex
>>> t=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.355:1340): avc: denied { execute } for
>>> pid=10412 comm="sh" name="virsh" dev="sda3" ino=1247631 scontex
>>> t=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.360:1341): avc: denied { read } for
>>> pid=10118 comm="bacula-fd" name="net" dev="proc" ino=4026531845 sc
>>> ontext=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
>>> type=AVC msg=audit(1746922631.465:1342): avc: denied { execute } for
>>> pid=10416 comm="cleanup" name="dnf5" dev="sda3" ino=1158689 sco
>>> ntext=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.466:1343): avc: denied { execute } for
>>> pid=10420 comm="cleanup" name="dnf5" dev="sda3" ino=1158689 sco
>>> ntext=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.466:1344): avc: denied { execute } for
>>> pid=10420 comm="cleanup" name="dnf5" dev="sda3" ino=1158689 sco
>>> ntext=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.466:1345): avc: denied { execute } for
>>> pid=10416 comm="cleanup" name="journalctl" dev="sda3" ino=11533
>>> 46 scontext=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.466:1346): avc: denied { execute } for
>>> pid=10421 comm="cleanup" name="journalctl" dev="sda3" ino=11533
>>> 46 scontext=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.466:1347): avc: denied { execute } for
>>> pid=10421 comm="cleanup" name="journalctl" dev="sda3" ino=11533
>>> 46 scontext=system_u:system_r:bacula_t:s0
>>> tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
>>> type=AVC msg=audit(1746922631.468:1348): avc: denied { getattr } for
>>> pid=10422 comm="find" name="/" dev="tmpfs" ino=1 scontext=syste
>>> m_u:system_r:bacula_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
>>> tclass=filesystem permissive=0
>>>
>>> _______________________________________________
>>> Bacula-users mailing list
>>> Bacula-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>>
>>
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
