Hello,
Thank you.
I set it to enforcing and make today some test and write about tests.
29.01.2018, 18:26, "Jörg Steffens" <[email protected]>:
On 29.01.2018 at 15:55 wrote Sergey Tsabolov ( aka linuxman ):
For only test I disabled the selinux and run new backup job.
Before run new job I set Exclude some folders from Job in filset.
And not my LinuxConfig backup fileset look like
-------------------------------------------------------------------------------------------------
FileSet {
Name = "LinuxConfig"
# include directory
Include {
Options {
Signature = MD5
Compression = LZ4
Exclude = yes
noatime = yes
}
File = /etc
}
#----------------------------------------------------------------------
Exclude {
File = /etc/pki
File = /etc/lvm
File = /etc/ntp
File = /etc/grub.d
File = /etc/selinux
File = /webmin
}
}
-------------------------------------------------------------------------------------------------
No not get warnings and all messages good.
And now we summarize :
When we have backup local something like /etc on server when bareos run
we need set :
1) With selinux = disabled
Chageing from
SELINUX=enforcing
to
SELINUX=permissive
is enough. This way, SELINUX is still active and logs accesses, but does
not enforce them.
semanage fcontext -l | grep bacula
/bacula(/.*)? all files
system_u:object_r:bacula_store_t:s0
/etc/bacula.* all files
system_u:object_r:bacula_etc_t:s0
/var/bacula(/.*)? all files
system_u:object_r:bacula_store_t:s0
/var/run/bacula.* regular file
system_u:object_r:bacula_var_run_t:s0
/var/lib/bacula.* all files
system_u:object_r:bacula_var_lib_t:s0
/var/log/bacula.* all files
system_u:object_r:bacula_log_t:s0
/usr/sbin/bacula.* regular file
system_u:object_r:bacula_exec_t:s0
/var/spool/bacula.* all files
system_u:object_r:bacula_spool_t:s0
/var/spool/bacula/log(/.*)? all files
system_u:object_r:var_log_t:s0
/etc/rc\.d/init\.d/bacula.* regular file
system_u:object_r:bacula_initrc_exec_t:s0
/usr/sbin/bat regular file
system_u:object_r:bacula_admin_exec_t:s0
/usr/sbin/bconsole regular file
system_u:object_r:bacula_admin_exec_t:s0--
This comes from the file:
/etc/selinux/targeted/contexts/files/file_contexts
But as far, as I can see it only allows bacula to run as SELINUX target.
However, it does not allow bacula (or bareos) to read all files.
Jörg Steffens [email protected]
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10--
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz
You received this message because you are subscribed to the Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
