I have a new F17 install server with rsyncd running.
From a prior F16 implentation (that probably had selinux off) I had rsyncd configured to backup remote home directories to /home on the rsyncd server. This worked well previously The rsyncd.conf file is attached.
However with F17 selinux is prevent rsyncd from creating directories, writing files, updating timestamps, etc, etc.
message log
Code:
Mar 18 16:09:09 walden6 xinetd[658]: START: rsync pid=1469 from=::ffff:192.168.1.107
Mar 18 16:09:09 walden6 rsyncd[1469]: name lookup failed for 192.168.1.107: Name or service not known
Mar 18 16:09:09 walden6 rsyncd[1469]: connect from UNKNOWN (192.168.1.107)
Mar 18 16:09:09 walden6 rsyncd[1469]: rsync to walden3linux/ from pwalden@UNKNOWN (192.168.1.107)
Mar 18 16:09:09 walden6 rsyncd[1469]: receiving file list
Mar 18 16:09:09 walden6 rsyncd[1469]: rsync: recv_generator: mkdir "/pwalden" (in walden3linux) failed: Permission denied (13)
Mar 18 16:09:09 walden6 rsyncd[1469]: *** Skipping any contents from this failed directory ***
Mar 18 16:09:09 walden6 dbus-daemon[568]: dbus[568]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Mar 18 16:09:09 walden6 dbus[568]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Mar 18 16:09:12 walden6 rsyncd[1469]: sent 2464 bytes received 258738 bytes total size 48746338220
Mar 18 16:09:12 walden6 xinetd[658]: EXIT: rsync status=0 pid=1469 duration=3(sec)
audit.log
Code:
type=AVC msg=audit(1363648149.588:73): avc: denied { add_name } for pid=1469 comm="rsync" name="pwalden" scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1363648149.588:73): arch=40000003 syscall=39 success=no exit=-13 a0=bfec8a3c a1=41c0 a2=b74b4fe0 a3=ffffffff items=0 ppid=658 pid=1469 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 key=(null)
Using semodule -i mypol.pp against each new selinux error seems like a waste of time. In fact I did waste hours trying to work through one selinux denial after another.
I tried looking for selinux booleans to turn off the enforecment, but I only saw this one allow_rsync_anon_write and I turned it on to no effect.
Code:
# getsebool -a | grep rsyn
allow_rsync_anon_write --> on
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> off
I am not a selinux engineer, so before I give up and just turn off selinux outright, is there some other magic incantation I can try?