Category Archives: Troubleshooting

SELinux is awesome

Scripts & Utilities, SELinux, Troubleshooting

So last week, I was thinking of creating as systemd timer, that triggers a service, that runs a script, that takes backup of the whole system, using rsync and emails me a quick 2 line summary.

Alright. That was intentional.

Some perspective; The HDD I’m running the system from has had a BAD X written on it with a black marker, as it’s an old hdd of mine, that had some bad blocks which were impacting performance, quite a bit, but now works great(after some linux magic) so I want to keep everything backed up, as frequently as possible, just in case.

This is today’s result, for example, sent to my gmail address.

The hostname is relevant

I had this thing pretty much figured out in my mind, from start to finish.

backup script syntax:

Zoom & Enhance, to see the full syntax

systemd.unit structure:

systemd.timer structure:

permissions(rwx) and all the other dependencies.

who needs the h…

I reach home and I start writing everything. Since I was using rsync, a basic service and a basic timer, this was quick work.

I gave the script a shot and as expected, it backups my whole system to another partition on the same drive and emails me the results.

I create the service and timer and I give them a shot too. My usual practice is to run something simple at first, like an echo, or just a quick email. Everything works as expected.

So now, it was time to put the everything together and enable the timer. I do that and I am surprised to see that I’m getting a Permission denied error on the rsync operations.

mmm what?

Now, every bit of information attached to the service, except the script, is owned by root. I know this may be bad practice in some circles, but this is one of my home lab test servers, so I can afford to be careless.

After checking a few logs, looking again and again at permissions, [successfully]testing the same solution on a few debian servers, I finally figured out what the problem is.

I was on Fedora. Fedora comes with SELinux enabled(setenforce 1).

Because I rarely work on non-debian systems, I was so used to not thinking beyond regular file permissions and attributes, that I completely forgot about SELinux.

Anyway, turns out that:

  1. The service was not labeled correctly; Fixed by a simple “chcon –reference /etc/systemd/system/{somegoodknownworking.service, backup.service}
  2. Rsync was being told to “talk to the hand”, by SELinux when not being ran outside a user session; Fixed by setting the correct boolean (setsebool -P rsync_full_access 1)

So what was the lesson I learned?

ls -laZ + chcon(or restorecon in most cases) + setsebool

Yup. That simple.