CR-2026-03-10 vault-backup SELinux Policy Module — Verification
Pre-Change Verification
| Check | Status |
|---|---|
Backup completed (Vault data on NAS from manual test) |
[x] |
Rollback procedure documented ( |
[x] |
Root cause identified (SELinux AVC denials) |
[x] |
Fix validated in permissive mode first |
[x] |
Post-Change Verification
Functionality Tests
-
vault-backup.service completes successfully - Result: PASS
-
Backup file created on NAS - Result: PASS
-
Timer scheduled for next run - Result: PASS (02:29 UTC)
-
No new SELinux denials - Result: PASS
State Comparison
| Metric | Pre-Change | Post-Change |
|---|---|---|
vault-backup.service |
failed (exit-code 14) |
SUCCESS (exit-code 0) |
SELinux mode |
Enforcing |
Enforcing (unchanged) |
vault-backup module |
Not installed |
Installed |
rsync_t permissive |
No |
No (removed after capture) |
Monitoring Check
-
No error spikes in logs
-
journalctl shows successful rsync transfer
-
No AVC denials in ausearch
| Check | Status |
|---|---|
vault-backup.service completes with exit-code 0 |
[x] |
Backup file created on NAS |
[x] |
Timer scheduled for next run |
[x] |
No new SELinux AVC denials |
[x] |
SELinux remains in Enforcing mode |
[x] |
rsync_t permissive mode removed |
[x] |