search for: bacula_t

...ng avc denied for specified services. Until today, I've configured successfully httpd, smbd. Today I've noticed that my bacula system does not work due to selinux denied because when bacula try to run pre/post job script I get access denied due to differences about context. Bacula is on bacula_t and in pre script I call commands in other context like: systemd_systemctl_exec_t ... (and other) Reading from RHEL DOC (SELinux Guide) I can accomplish to remove denied access using audit2allow and creating TE rules. I've runned: grep systemctl /var/log/audit/audit.log | audit2allow -M p...

I am trying to update some local policies for bacula that allow a series of clients with pre run scripts to su in order to perform some preparatory work for a backup. With selinux enforcing, the su is denied obviously execute as bacula_t tries su_exec_t. You only see this with enforcing enabled? So creating an initial policy for that (this is not the way to do this) allows one more avc to appear for execute_no_ as bacula_t tries su_exec_t again. The problem is once these are enabled with local policies they seem to be ignored pro...

...omplains it cannot access the changer: 3301 Issuing autochanger "loaded? drive 0" command. 3991 Bad autochanger "loaded? drive 0" command: ERR=Child exited with code 1. Results=cannot open SCSI device '/dev/changer' - Permission denied SELinux is denying source context bacula_t from accessing target context tape_device_t. I took a look at the various SELinux boolean values but see none that applies. Has anyone else observed this symptom since upgrading? Is there a fix other than building a local policy by going through the "ausearch | audit2allow" iteration...

On 07/05/2016 08:21 AM, Alessandro Baggi wrote: > What are the meaning of rules on pol.te https://wiki.centos.org/HowTos/SELinux The CentOS howto has some information, and links to additional resources. The policy should be pretty easy to read, though. You have one rule, "allow bacula_t systemd_systemctl_exec_t:file execute." Each word in that rule, except for "allow" is defined somewhere, and has to be loaded, so they are each individually loaded in the "require" block. > and why bacula can't do transiction between context? The easiest way t...