Troubleshooting SELinux Configuration

Backup and restore operations fail

If backups and restore operations fail or if there are any issues with Commvault services, check if any denial messages are logged by SELinux. These denials are also known as AVC denials, and are logged to a different location, depending on which daemons are running.

Procedure

1. Go to /var/log/audit directory.

2. Open the audit.log file.

3. Check if any permissions are denied by SELinux.

   A denial message appears as follows:

   type=AVC msg=audit(1494408684.449:244): avc: denied { write } for pid=12037 comm="cvd" name="cvlaunchd.sock" dev=dm-0 ino=2110807 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:object_r:usr_t:s0 tclass=sock_file
    type=AVC msg=audit(1494408688.061:258): avc: denied { ioctl } for pid=12383 comm="CvMountd" path="/dev/sg0" dev=devtmpfs ino=10311 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file

4. To give proper permissions, complete the following steps:

   1. Log on to the client computer as a root user.

   2. Run the following command if denial is from a single process command. For example, cvd.

       grep "cvd" /var/log/audit/audit.log | audit2allow -M backup_IDA_1

   3. Run the following command if denial is from multiple process commands. For example, cvd, Cvmountd, and so on.

      grep -E "cvd|Cvmountd" /var/log/audit/audit.log | audit2allow -M backup_IDA_1

   4. Run the command to install the policy module.

      semodule -i backup_IDA1.pp

   5. Perform backup and restore operations to see if any other permissions are denied. If yes, go back to step #4 and repeat the procedure.

MediaAgent package is installed earlier and operations such as browse and synthetic full backup fail

If the MediaAgent package is installed earlier and operations such as browse and synthetic full backup fail, then configure the following settings:

Procedure

1. Verify that the client has sufficient memory. A minimum of 8 GB is recommended.

2. Increase the number of system file descriptor limit. You can modify the number of concurrently open file descriptors throughout the system using the /etc/sysctl.conf file under Linux operating system.

   1. Log on to the client computer as a root user.

   2. Increase the maximum number of open files by setting a new value in the kernel variable /proc/sys/fs/file-max.

      # sysctl -w fs.file-max=100000

      The command forces the limit to 100000 files.

   3. Edit the /etc/sysctl.conf file and insert the following line so that after a reboot the setting persists.

      # vi /etc/sysctl.conf

   4. Append a configuration directive.

      fs.file-max = 100000

   5. Save and close the /etc/sysctl.conf file.

      Log out and log back on to the client computer for changes to take effect or run the following command:

      # sysctl -p

   6. Verify your settings.

      # cat /proc/sys/fs/file-max

3. Increase the number of user level file descriptor limit.

   1. You can limit specific users to specific file descriptor limits by editing the /etc/security/limits.conf file.

      # vi /etc/security/limits.conf

   2. Set user name to soft, and the set the hard limits.

      username soft nofile 4096
       username hard nofile 10240

   3. Save and close the /etc/security/limits.conf file. To see the configured limits, use the following commands.

      # su - username
       $ ulimit -Hn
       $ ulimit -Sn

4. Edit the /etc/pam.d/login file and add or modify the following line.

   session required pam_limits.so

5. Save and close the /etc/pam.d/login file.

6. Restart Commvault services.

   commvault restart