apple
backup_agent fails to write logs if selinux is enabled
After installing Foundation Db server on a system with SELinux enabled, backup agents can not create trace files. The errors in the system journals are:
Jan 22 14:44:27 fdbs fdbmonitor[1736]: LogGroup="default" Process="backup_agent.1": ERROR: could not create trace log file `/var/log/foundationdb/trace.127.0.0.1.1737.1579693462.7sC>
Setting selinux policy to Permissive eliminates tese errors but there are still a lot messages of illegal access attempts:
Jan 22 14:57:23 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:23 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:57:24 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:24 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:57:25 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:25 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:57:26 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:26 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:58:01 fdbs audit[43435]: AVC avc: denied { name_connect } for pid=43435 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1
Jan 22 14:58:01 fdbs audit[43435]: AVC avc: denied { create } for pid=43435 comm="backup_agent" name="trace.127.0.0.1.43435.1579694281.ZKAKOV.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
The reason is that /usr/lib/foundationdb/backup_agent/backup_agent resides under /usr/lib and has a wrong security type lib_t instead of bin_t:
[root@fdbs ~]# ls -Z /usr/lib/foundationdb/backup_agent/backup_agent
system_u:object_r:lib_t:s0 /usr/lib/foundationdb/backup_agent/backup_agent
The solution may be placing backup_agent into a dirs with executables (ex /usr/sbin like fdbserver) or implicit changing its security context after installation:
chcon system_u:object_r:bin_t:s0 /usr/lib/foundationdb/backup_agent/backup_agent
systemctl restart foundationdb
Then backup_agent can create trace files.
The backup_agent and dr_agent binary and symlink should probably go in /usr/sbin along with fdbserver, but fdbdr, fdbrestore, and fdbbackup should probably go in /usr/bin.
Symlinks to the new locations should remain at the old locations for a while though.
