Problem
DOCUMENTATION: Running NetBackup primary/media server with SELinux permissive/enforcing mode.
Solution
A default installation of Netbackup 8.x and above on RHEL is supported to be running with SELinux enabled as a permissive/enforcing mode.
The installation of the Netbackup RPMS is done with the system context and major operations within Netbackup boundaries are expected to work.
Most of the time, Netbackup uses the resources within the system context, but there may be some scenarios, where the system processes running an application-specific SELinux context or vice versa, for which SELinux may prevent access. One of the examples being log rotate, which handles MSDP logs and would want to access file <MSDP_HOME_DIR>/spws/etc/logrotate.conf. We need to add the rules in the currently enforcing policy.
These rules may not cover all the Netbackup workflows, and more rules may be required to be added. The document also provides the procedure to add more on the go.
Procedure
- Before running the NBU in enforcing mode, two of the following modules (required ones and nonfatal ones) should be applied.
- The following target context type should be obtained and replaced in the rules file mentioned in the rules section below:
- INSTALL_DIR_TYPE – this is required at install time while nbcheck is running. For the following example the value is user_tmp_t.
ls -lartZ /tmp/nbu/linuxR_x86/catalog/anb/nbcheck
-r-xr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 . - MSDP_STORAGE_SERVER_DIR_TYPE – If MSDP storage server is to be created. For following example, if the storage server path is /home/msdp, then the value is home_root_t.
ls -lartZ /home/msdp
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 .
- INSTALL_DIR_TYPE – this is required at install time while nbcheck is running. For the following example the value is user_tmp_t.
- Procedure to load the module:
- Copy the rules into a file <file>.te
- checkmodule -M -m -o <file>.mod <file>.te
- semodule_package -o <file>.pp -m <file>.mod
- semodule -i <file>.pp
Prerequisite
The host is running in enforcing mode and system specific denials are taken care already.
Required rules
These rules are required once. Copy the following into nbu.te, compile, and apply the module as per the steps mentioned above.
module nbu 1.0; require { # Required for telemetry and par-tmp directory creation # type of the pdde logrotate.conf file to be replaced. |
Suggested rules
The above rules ensure basic Netbackup functioning works with any warnings/denials. Depending upon your configuration, you may see additional warnings/denials.
To get rid of some of those denials/warnings, apply the below rules as per your configuration.
Copy the following into nbunonfatal.te, compile and apply the module as per the steps mentioned above.
module nbunonfatal 1.0; require { # wherever automount is done (e.g. nfs share). # at installation time nbcheck # Correcting labeling for the MSDP log file. allow groupadd_t initrc_var_log_t:file read; |
Procedure to add more rules
During the operations of Netbackup, there may arise SELinux audits/denials which may be required to be taken care of on the go.
- Turn the SELinux mode to Permissive, restart the system and perform the operation which caused the denial.
- Collect the denials into a file nbu_mod.txt and run cat nbu_mod.txt | audit2allow -m
- Compile the rules (nbu_mod.te file) into an SELinux module and load it by the aforementioned procedure.
- Turn back the SELinux mode to enforcing, restart the host and try the operation again.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.