CR-2026-03-10 vault-backup SELinux Policy Module

Change Summary

Field	Value
Change ID	CR-2026-03-10-vault-backup-selinux
Requested By	Self (incident response)
Target Date	2026-03-10
Systems Affected	vault-01
Risk Level	Low (SELinux policy addition, easily reversible)
Rollback Time	< 1 minute
Change Window	Immediate (incident response)

Field

Value

Change ID

CR-2026-03-10-vault-backup-selinux

Requested By

Self (incident response)

Target Date

2026-03-10

Systems Affected

vault-01

Risk Level

Low (SELinux policy addition, easily reversible)

Rollback Time

< 1 minute

Change Window

Immediate (incident response)

Description

What

Install custom SELinux policy module vault-backup.pp to allow the rsync_t domain to execute SSH and access related files for Vault backup operations.

Why

vault-backup.service was failing due to SELinux denials
Backups to NAS not running since at least 2026-03-09
Required for automated Vault data protection

Impact

During change: None (policy addition, not modification)
After change: vault-backup.service can execute rsync over SSH

Pre-Change Checklist

Prerequisites

Backup completed (Vault data already on NAS from manual test)
Rollback procedure documented (semodule -r vault-backup)
Root cause identified (SELinux AVC denials)
Fix validated in permissive mode first

Current State Capture

# SELinux status
getenforce
# Output: Enforcing

# Service status
systemctl status vault-backup.service
# Output: failed (exit-code 14)

# Existing policy modules
semodule -l | grep vault
# Output: (none)

Metric	Pre-Change Value
vault-backup.service	failed (exit-code 14)
SELinux mode	Enforcing
vault-backup module	Not installed
rsync_t permissive	No

Metric

Pre-Change Value

vault-backup.service

failed (exit-code 14)

SELinux mode

Enforcing

vault-backup module

Not installed

rsync_t permissive