CR-2026-03-10 vault-backup SELinux Policy Module — Implementation
Change Procedure
Phase 1: Capture Required Permissions
# Set rsync_t to permissive
sudo semanage permissive -a rsync_tExpected: No output (success)
# Run service to generate all AVC denials
sudo systemctl start vault-backup.serviceExpected: SUCCESS (permissive allows)
Phase 2: Generate and Install Policy
# Generate policy module from denials
sudo ausearch -m avc --start today | grep rsync | audit2allow -M vault-backupExpected: Creates vault-backup.te and vault-backup.pp
# Review policy
cat vault-backup.teExpected: Shows allow rules for rsync_t
# Install policy module
sudo semodule -i vault-backup.ppExpected: No output (success)
Phase 3: Remove Permissive and Test
# Remove permissive mode
sudo semanage permissive -d rsync_tExpected: Confirmation message
# Test in enforcing mode
sudo systemctl start vault-backup.service && systemctl status vault-backup.serviceExpected: Active: inactive (dead) with status=0/SUCCESS