INC-2026-03-10: Resolution
Resolution
Immediate Fix
Approach: Permissive domain to capture ALL denials, then comprehensive policy module.
# Step 1: Set domain to permissive (logs but allows)
sudo semanage permissive -a rsync_t
# Step 2: Run service to capture all denials
sudo systemctl start vault-backup.service
# SUCCESS (in permissive mode)
# Step 3: Generate comprehensive policy
sudo ausearch -m avc --start today | grep rsync | audit2allow -M vault-backup
# Step 4: Install policy module
sudo semodule -i vault-backup.pp
# Step 5: Remove permissive mode
sudo semanage permissive -d rsync_t
# Step 6: Test in enforcing mode
sudo systemctl start vault-backup.service
# SUCCESSVerification
-
Service completed successfully (exit code 0)
-
Backup file transferred to NAS
-
Timer scheduled for next run (02:29 UTC)
-
SELinux in enforcing mode (
getenforce= Enforcing) -
No new AVC denials