rsyncd and selinux do not mix

[pwalden]

I have a new F17 install server with rsyncd running.

From a prior F16 implentation (that probably had selinux off) I had rsyncd configured to backup remote home directories to /home on the rsyncd server. This worked well previously The rsyncd.conf file is attached.

However with F17 selinux is prevent rsyncd from creating directories, writing files, updating timestamps, etc, etc.

message log

Code:

Mar 18 16:09:09 walden6 xinetd[658]: START: rsync pid=1469 from=::ffff:192.168.1.107
Mar 18 16:09:09 walden6 rsyncd[1469]: name lookup failed for 192.168.1.107: Name or service not known
Mar 18 16:09:09 walden6 rsyncd[1469]: connect from UNKNOWN (192.168.1.107)
Mar 18 16:09:09 walden6 rsyncd[1469]: rsync to walden3linux/ from pwalden@UNKNOWN (192.168.1.107)
Mar 18 16:09:09 walden6 rsyncd[1469]: receiving file list
Mar 18 16:09:09 walden6 rsyncd[1469]: rsync: recv_generator: mkdir "/pwalden" (in walden3linux) failed: Permission denied (13)
Mar 18 16:09:09 walden6 rsyncd[1469]: *** Skipping any contents from this failed directory ***
Mar 18 16:09:09 walden6 dbus-daemon[568]: dbus[568]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Mar 18 16:09:09 walden6 dbus[568]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Mar 18 16:09:12 walden6 rsyncd[1469]: sent 2464 bytes  received 258738 bytes  total size 48746338220
Mar 18 16:09:12 walden6 xinetd[658]: EXIT: rsync status=0 pid=1469 duration=3(sec)

audit.log

Code:

type=AVC msg=audit(1363648149.588:73): avc:  denied  { add_name } for  pid=1469 comm="rsync" name="pwalden" scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1363648149.588:73): arch=40000003 syscall=39 success=no exit=-13 a0=bfec8a3c a1=41c0 a2=b74b4fe0 a3=ffffffff items=0 ppid=658 pid=1469 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 key=(null)

Using semodule -i mypol.pp against each new selinux error seems like a waste of time. In fact I did waste hours trying to work through one selinux denial after another.

I tried looking for selinux booleans to turn off the enforecment, but I only saw this one allow_rsync_anon_write and I turned it on to no effect.

Code:

# getsebool -a | grep rsyn
allow_rsync_anon_write --> on
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> off

I am not a selinux engineer, so before I give up and just turn off selinux outright, is there some other magic incantation I can try?

[pwalden]

After some amounts of googling, man reading and luck, the magic incantation is:

Code:

# setsebool -P allow_rsync_anon_write on

# semanage fcontext -a -t public_content_rw_t /home/<target dir>
# restorecon -R -v /home/<target dir>
..repeat above 2 steps for each target directory

I really do not understand much of the above process. The path to a solution happened this way in case others want to follow it.

1. Googling found references to a rsync_selinux(8) man page
2. The rsync_selinux man page refered to setting the public_content_rw_t attribute on the rsyncd target directory
3. Setting the public_content_rw_t on the target directory did not work, but it caused the selinux troubleshooter application to propose the final solution.

[pwalden]

I upgraded the system to F18 and ran into the problem again.

This time

# setsebool -P rsync_full_access 1

was all that was needed.

[Skull One]

semanage fcontext -a -t public_content_rw_t /home/<target dir>

This is definitly wrong! You are relabelling the /home/ directories to a public and rw content. This is insecure, remove this!

setsebool -P rsync_full_access 1

That is the way to do. rsyncd will have a rw access of all the files (except security files).

setsebool -P rsync_anon_write on

This one is to have an rw access on public_content_rw_t only. Therefore it is not needed if rsync_full_access is enabled.