Bacula and SElinux denying access when writing to non-standard location

 bacula, selinux, server  Add comments
Feb 102016
 

4x_NvidiaGTX780 GPU

I’ve got Centos 7 based Bacula installation with storage daemon writing to file volumes located on ZFS filesystem. Chown’ing filesystem to user bacula was not enough, SElinux being SElinux didn’t particularly like bacula writing to location chosen by me (/tank/backup) as it expects Bacula to write to /bacula by default.

Lets identify available Bacula contexts and re-label /tank/backup accordingly

# semanage fcontext -l | grep bacula
 /bacula(/.*)? all files system_u:object_r:bacula_store_t:s0
 /etc/bacula.* all files system_u:object_r:bacula_etc_t:s0
 /var/bacula(/.*)? all files system_u:object_r:bacula_store_t:s0
 /var/lib/bacula.* all files system_u:object_r:bacula_var_lib_t:s0
 /var/log/bacula.* all files system_u:object_r:bacula_log_t:s0
 /var/run/bacula.* regular file system_u:object_r:bacula_var_run_t:s0
 /usr/sbin/bacula.* regular file system_u:object_r:bacula_exec_t:s0
 /var/spool/bacula.* all files system_u:object_r:bacula_spool_t:s0
 /var/spool/bacula/log(/.*)? all files system_u:object_r:var_log_t:s0
 /etc/rc\.d/init\.d/bacula.* regular file system_u:object_r:bacula_initrc_exec_t:s0
 /usr/sbin/bat regular file system_u:object_r:bacula_admin_exec_t:s0
 /usr/sbin/bconsole regular file system_u:object_r:bacula_admin_exec_t:s0

Ahh OK, so it’s called “system_u:object_r:bacula_store_t:s0” – lets apply it

chcon system_u:object_r:bacula_store_t:s0 /tank/backup
semanage fcontext -a -t bacula_store_t "/tank/backup(/.*)?"
restorecon -R -v /tank/backup

Same will work if your Centos 7 client will refuse to restore data to /bacula-restores, with message in server log:

26-Sep 14:40 death-star JobId 24822: Error: mkpath.c:138 Cannot create directory /bacula-restores/backup: ERR=Permission denied

and message in client log:

type=AVC msg=audit(1474897201.721:307): avc:  denied  { write } for  pid=26477 comm="bacula-fd" name="bacula-restores" dev="vda1" ino=159551617 scontext=system_u:system_r:bacula_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

Simply run:

chcon system_u:object_r:bacula_store_t:s0 /bacula-restores
semanage fcontext -a -t bacula_store_t "/bacula-restores(/.*)?"
restorecon -R -v /bacula-restores
ls -lZ /

and now your restore job will run just fine. Magic.

  7 Responses to “Bacula and SElinux denying access when writing to non-standard location”

  1. Helvio Pichamone says:
    17th August 2016 at 3:15 pm

    Fantastic! Thank you. SELINUX context is lost in a new bacula install, if you plan to keep using old data on the storage. So the steps above re-label it and saved the day!

    Reply
  2. fufufighter says:
    18th August 2017 at 12:19 pm

    Awesome, spent half a day trying to figure this out until I got to trying new keywords in google and landed here.

    Problem solved 5 minutes later, you have my thanks!

    Plus, it got me to understand what SELinux is.

    Reply
  3. chris says:
    27th December 2017 at 4:05 am

    it helped me a lote

    Reply
  4. L F says:
    8th March 2018 at 11:08 pm

    This was extremely helpful to me also. Thank you!

    Reply
  5. refaesme says:
    10th June 2019 at 3:55 pm

    Me salvo la vida !!! Gracias

    Reply
  6. XLR says:
    21st September 2021 at 3:38 pm

    You’re my hero ! Thanks, I have lost 2 hours, and without you maybe more !

    Reply

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

This site uses Akismet to reduce spam. Learn how your comment data is processed.