CR-2026-03-10 vault-backup SELinux Policy Module

Change Summary

Field Value

Change ID

CR-2026-03-10-vault-backup-selinux

Requested By

Self (incident response)

Target Date

2026-03-10

Systems Affected

vault-01

Risk Level

Low (SELinux policy addition, easily reversible)

Rollback Time

< 1 minute

Change Window

Immediate (incident response)

Description

What

Install custom SELinux policy module vault-backup.pp to allow the rsync_t domain to execute SSH and access related files for Vault backup operations.

Why

  • vault-backup.service was failing due to SELinux denials

  • Backups to NAS not running since at least 2026-03-09

  • Required for automated Vault data protection

Impact

  • During change: None (policy addition, not modification)

  • After change: vault-backup.service can execute rsync over SSH

Pre-Change Checklist

Prerequisites

  • Backup completed (Vault data already on NAS from manual test)

  • Rollback procedure documented (semodule -r vault-backup)

  • Root cause identified (SELinux AVC denials)

  • Fix validated in permissive mode first

Current State Capture

# SELinux status
getenforce
# Output: Enforcing

# Service status
systemctl status vault-backup.service
# Output: failed (exit-code 14)

# Existing policy modules
semodule -l | grep vault
# Output: (none)
Metric Pre-Change Value

vault-backup.service

failed (exit-code 14)

SELinux mode

Enforcing

vault-backup module

Not installed

rsync_t permissive

No

Change Procedure

Phase 1: Capture Required Permissions

# Set rsync_t to permissive
sudo semanage permissive -a rsync_t

Expected: No output (success)

# Run service to generate all AVC denials
sudo systemctl start vault-backup.service

Expected: SUCCESS (permissive allows)

Phase 2: Generate and Install Policy

# Generate policy module from denials
sudo ausearch -m avc --start today | grep rsync | audit2allow -M vault-backup

Expected: Creates vault-backup.te and vault-backup.pp

# Review policy
cat vault-backup.te

Expected: Shows allow rules for rsync_t

# Install policy module
sudo semodule -i vault-backup.pp

Expected: No output (success)

Phase 3: Remove Permissive and Test

# Remove permissive mode
sudo semanage permissive -d rsync_t

Expected: Confirmation message

# Test in enforcing mode
sudo systemctl start vault-backup.service && systemctl status vault-backup.service

Expected: Active: inactive (dead) with status=0/SUCCESS

Post-Change Validation

Functionality Tests

  • vault-backup.service completes successfully - Result: PASS

  • Backup file created on NAS - Result: PASS

  • Timer scheduled for next run - Result: PASS (02:29 UTC)

  • No new SELinux denials - Result: PASS

State Comparison

Metric Pre-Change Post-Change

vault-backup.service

failed (exit-code 14)

SUCCESS (exit-code 0)

SELinux mode

Enforcing

Enforcing (unchanged)

vault-backup module

Not installed

Installed

rsync_t permissive

No

No (removed after capture)

Monitoring Check

  • No error spikes in logs

  • journalctl shows successful rsync transfer

  • No AVC denials in ausearch

Rollback Procedure

Trigger Conditions

Rollback if:

  • SELinux policy causes unexpected denials elsewhere

  • System instability after policy installation

  • Policy grants excessive permissions

Rollback Steps

# Remove the policy module
sudo semodule -r vault-backup
# Verify removal
semodule -l | grep vault
# Output: (empty)
Rollback will cause vault-backup.service to fail again. Revert only if policy causes other issues.

Rollback Verification

  • Policy module removed

  • No unexpected system behavior

  • Document reason for rollback

Sign-Off

Role Name Date

Implementer

Evan

2026-03-10

Reviewer

N/A (self)

2026-03-10

Approver

N/A (emergency fix)

2026-03-10

Lessons Learned

What went well

  • Permissive domain approach captured all permissions in one pass

  • Policy module is surgical (only grants required permissions)

  • SELinux remained in enforcing mode throughout

What could be improved

  • Should document SELinux requirements when deploying new services

  • Add SELinux policy creation to VM provisioning checklist

Runbook Updates

  • Updated vault-backup.adoc with comprehensive SELinux section

Related