Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-21168

SELinux prevents bacula-fd from execute (access check) on /usr/bin/docker file [rhel-9]

XMLWordPrintable

    • None
    • None
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 14
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 241106 - 241127
    • Hide

      The bacula-fd service does not trigger any SELinux denials when started on a machine where the docker program is installed.

      Show
      The bacula-fd service does not trigger any SELinux denials when started on a machine where the docker program is installed.
    • None
    • Automated
    • Unspecified Release Note Type - Unknown
    • x86_64
    • None

      What were you trying to do that didn't work?

      The SELinux denial appeared twice during the run of the following automated test on a machine where the podman-docker package was installed:

      • /CoreOS/selinux-policy/Regression/bacula-daemons-and-similar

      Please provide the package NVR for which bug is seen:

      bacula-client-11.0.1-5.el9.x86_64
      bacula-common-11.0.1-5.el9.x86_64
      bacula-libs-11.0.1-5.el9.x86_64
      containers-common-1-55.el9.x86_64
      container-selinux-2.221.0-1.el9.noarch
      selinux-policy-38.1.23-1.el9.noarch
      selinux-policy-targeted-38.1.23-1.el9.noarch

      How reproducible:

      always

      Steps to reproduce

      1. get a RHEL-9.3 machine (targeted policy is active)
      2. install the bacula-client and podman-docker packages
      3. start the bacula-fd service
      4. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(01/10/2024 03:52:00.173:679) : proctitle=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf -u root -g root 
type=PATH msg=audit(01/10/2024 03:52:00.173:679) : item=0 name=/usr/bin/docker inode=5509673 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:container_runtime_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/10/2024 03:52:00.173:679) : cwd=/ 
type=SYSCALL msg=audit(01/10/2024 03:52:00.173:679) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fd6f23f613e a1=X_OK a2=0x55dc6187a900 a3=0x7fd6f23e02f0 items=1 ppid=1 pid=84104 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bacula-fd exe=/usr/sbin/bacula-fd subj=system_u:system_r:bacula_t:s0 key=(null) 
type=AVC msg=audit(01/10/2024 03:52:00.173:679) : avc:  denied  { execute } for  pid=84104 comm=bacula-fd name=docker dev="vda1" ino=5509673 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:container_runtime_exec_t:s0 tclass=file permissive=0 
----

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: