MarkSh1
August 22, 2025, 11:59am
1
To solve the problem with SELinux, I suggest moving backup_agent to the “/usr/bin” folder. What do you think?
opened 12:18PM - 22 Jan 20 UTC
After installing Foundation Db server on a system with SELinux enabled, backup a… gents can not create trace files. The errors in the system journals are:
```
Jan 22 14:44:27 fdbs fdbmonitor[1736]: LogGroup="default" Process="backup_agent.1": ERROR: could not create trace log file `/var/log/foundationdb/trace.127.0.0.1.1737.1579693462.7sC>
```
Setting selinux policy to Permissive eliminates tese errors but there are still a lot messages of illegal access attempts:
```
Jan 22 14:57:23 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:23 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:57:24 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:24 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:57:25 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:25 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:57:26 fdbs audit[1737]: AVC avc: denied { create } for pid=1737 comm="backup_agent" name="trace.127.0.0.1.1737.1579693462.7sCRr8.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Jan 22 14:57:26 fdbs audit[1737]: AVC avc: denied { name_connect } for pid=1737 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=0
Jan 22 14:58:01 fdbs audit[43435]: AVC avc: denied { name_connect } for pid=43435 comm="backup_agent" dest=4500 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ipsecnat_port_t:s0 tclass=tcp_socket permissive=1
Jan 22 14:58:01 fdbs audit[43435]: AVC avc: denied { create } for pid=43435 comm="backup_agent" name="trace.127.0.0.1.43435.1579694281.ZKAKOV.0.1.xml" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
```
The reason is that /usr/lib/foundationdb/backup_agent/backup_agent resides under /usr/lib and has a wrong security type lib_t instead of bin_t:
```
[root@fdbs ~]# ls -Z /usr/lib/foundationdb/backup_agent/backup_agent
system_u:object_r:lib_t:s0 /usr/lib/foundationdb/backup_agent/backup_agent
```
The solution may be placing backup_agent into a dirs with executables (ex /usr/sbin like fdbserver) or implicit changing its security context after installation:
```
chcon system_u:object_r:bin_t:s0 /usr/lib/foundationdb/backup_agent/backup_agent
systemctl restart foundationdb
```
Then backup_agent can create trace files.
saintstack
August 22, 2025, 3:23pm
2
Sounds good to me (currently it’s in /usr/lib/foundationdb/backup_agent/backup_agent). Would be interested if this will cause anyone grief.
S
MarkSh1
September 10, 2025, 10:08am
3
It should be noted that if CI foundationdb automatic update is configured, then after installing a new version of foundationdb, the path to backup_agent in foundationdb.conf will not be replaced and the log with the startup error will grow indefinitely.