On 29.01.2018 at 15:55 wrote Sergey Tsabolov ( aka linuxman ):
> For only test I disabled the selinux and run new backup job.
> Before run new job I set Exclude some folders from Job in filset.
> And not my LinuxConfig backup fileset look like
> -------------------------------------------------------------------------------------------------
> FileSet {
> Name = "LinuxConfig"
> # include directory
> Include {
> Options {
> Signature = MD5
> Compression = LZ4
> Exclude = yes
> noatime = yes
> }
> File = /etc
> }
> #----------------------------------------------------------------------
> Exclude {
> File = /etc/pki
> File = /etc/lvm
> File = /etc/ntp
> File = /etc/grub.d
> File = /etc/selinux
> File = /webmin
> }
> }
>
> -------------------------------------------------------------------------------------------------
> No not get warnings and all messages good.
>
> And now we summarize :
> When we have backup local something like /etc on server when bareos run
> we need set :
> 1) With selinux = disabled
Chageing from
SELINUX=enforcing
to
SELINUX=permissive
is enough. This way, SELINUX is still active and logs accesses, but does
not enforce them.
>> semanage fcontext -l | grep bacula
>>
>> /bacula(/.*)? all files
>> system_u:object_r:bacula_store_t:s0
>> /etc/bacula.* all files
>> system_u:object_r:bacula_etc_t:s0
>> /var/bacula(/.*)? all files
>> system_u:object_r:bacula_store_t:s0
>> /var/run/bacula.* regular file
>> system_u:object_r:bacula_var_run_t:s0
>> /var/lib/bacula.* all files
>> system_u:object_r:bacula_var_lib_t:s0
>> /var/log/bacula.* all files
>> system_u:object_r:bacula_log_t:s0
>> /usr/sbin/bacula.* regular file
>> system_u:object_r:bacula_exec_t:s0
>> /var/spool/bacula.* all files
>> system_u:object_r:bacula_spool_t:s0
>> /var/spool/bacula/log(/.*)? all files
>> system_u:object_r:var_log_t:s0
>> /etc/rc\.d/init\.d/bacula.* regular file
>> system_u:object_r:bacula_initrc_exec_t:s0
>> /usr/sbin/bat regular file
>> system_u:object_r:bacula_admin_exec_t:s0
>> /usr/sbin/bconsole regular file
>> system_u:object_r:bacula_admin_exec_t:s0
This comes from the file:
/etc/selinux/targeted/contexts/files/file_contexts
But as far, as I can see it only allows bacula to run as SELINUX target.
However, it does not allow bacula (or bareos) to read all files.
--
Jörg Steffens [email protected]
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
