Cron Backup of my home blocked by SELinux

Ask Fedora Ask in English
1

I have a nice borgmatic script up and running that grabs all my worthy files (mainly from /etc and /home) and backs it up. Now I want to automate it with cron. Unfortunately SELinux does not agree on reading my home:

Feb 17 09:10:01 mw-lat5591 crond[1717]: ((null)) Unauthorized SELinux context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 file_context=unconfined_u:object_r:user_home_t:s0 (/etc/cron.d/borgmatic)

I see that system_cronjob_t is denied access to user_home_t, but… how to fix it?

1 Like
2

Does the issue persist if you replace the cron job with systemd timer and service?

See also: Automate backups with restic and systemd - Fedora Magazine

1 Like
3

Yes

10:34:29 mw-lat5591.local audit[1]: AVC avc:  
denied  { open } for  pid=1
 comm="systemd" 
 path="/etc/systemd/system/borgmatic.service" 
 dev="dm-1" 
 ino=3937733 
 scontext=system_u:system_r:init_t:s0
 tcontext=unconfined_u:object_r:user_home_t:s0
 tclass=file
 permissive=0
1 Like
4

Try to explicitly specify SELinuxContext= with some unconfined value.

If that doesn’t help, you can allow access with audit2allow.

2 Likes
5

installed SELinux Alert Browser and it gave me:

SELinux is preventing systemd from open access on the file 
/etc/systemd/system/borgmatic.timer.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/etc/systemd/system/borgmatic.timer default label should be 
systemd_unit_file_t. Then you can run restorecon. The access
attempt may have been stopped due to insufficient permissions
to access a parent directory in which case try to change the 
following command accordingly.
Do
# /sbin/restorecon -v /etc/systemd/system/borgmatic.timer

I followed their recomendation:

/sbin/restorecon -v /etc/systemd/system/borgmatic.service
Relabeled /etc/systemd/system/borgmatic.service from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:systemd_unit_file_t:s0

and now it works

2 Likes
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.