[SOLVED] rsyncd and selinux do not mix
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 4 of 4
  1. #1
    Join Date
    Aug 2005
    Location
    Washington (the state), USA
    Age
    69
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    rsyncd and selinux do not mix

    I have a new F17 install server with rsyncd running.

    From a prior F16 implentation (that probably had selinux off) I had rsyncd configured to backup remote home directories to /home on the rsyncd server. This worked well previously The rsyncd.conf file is attached.

    However with F17 selinux is prevent rsyncd from creating directories, writing files, updating timestamps, etc, etc.

    message log
    Code:
    Mar 18 16:09:09 walden6 xinetd[658]: START: rsync pid=1469 from=::ffff:192.168.1.107
    Mar 18 16:09:09 walden6 rsyncd[1469]: name lookup failed for 192.168.1.107: Name or service not known
    Mar 18 16:09:09 walden6 rsyncd[1469]: connect from UNKNOWN (192.168.1.107)
    Mar 18 16:09:09 walden6 rsyncd[1469]: rsync to walden3linux/ from pwalden@UNKNOWN (192.168.1.107)
    Mar 18 16:09:09 walden6 rsyncd[1469]: receiving file list
    Mar 18 16:09:09 walden6 rsyncd[1469]: rsync: recv_generator: mkdir "/pwalden" (in walden3linux) failed: Permission denied (13)
    Mar 18 16:09:09 walden6 rsyncd[1469]: *** Skipping any contents from this failed directory ***
    Mar 18 16:09:09 walden6 dbus-daemon[568]: dbus[568]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
    Mar 18 16:09:09 walden6 dbus[568]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
    Mar 18 16:09:12 walden6 rsyncd[1469]: sent 2464 bytes  received 258738 bytes  total size 48746338220
    Mar 18 16:09:12 walden6 xinetd[658]: EXIT: rsync status=0 pid=1469 duration=3(sec)
    audit.log
    Code:
    type=AVC msg=audit(1363648149.588:73): avc:  denied  { add_name } for  pid=1469 comm="rsync" name="pwalden" scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
    type=SYSCALL msg=audit(1363648149.588:73): arch=40000003 syscall=39 success=no exit=-13 a0=bfec8a3c a1=41c0 a2=b74b4fe0 a3=ffffffff items=0 ppid=658 pid=1469 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 key=(null)
    Using semodule -i mypol.pp against each new selinux error seems like a waste of time. In fact I did waste hours trying to work through one selinux denial after another.

    I tried looking for selinux booleans to turn off the enforecment, but I only saw this one allow_rsync_anon_write and I turned it on to no effect.

    Code:
    # getsebool -a | grep rsyn
    allow_rsync_anon_write --> on
    rsync_client --> off
    rsync_export_all_ro --> off
    rsync_use_cifs --> off
    rsync_use_nfs --> off
    I am not a selinux engineer, so before I give up and just turn off selinux outright, is there some other magic incantation I can try?
    Attached Files Attached Files

  2. #2
    Join Date
    Aug 2005
    Location
    Washington (the state), USA
    Age
    69
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: rsyncd and selinux do not mix

    After some amounts of googling, man reading and luck, the magic incantation is:

    Code:
    # setsebool -P allow_rsync_anon_write on
    
    # semanage fcontext -a -t public_content_rw_t /home/<target dir>
    # restorecon -R -v /home/<target dir>
    ..repeat above 2 steps for each target directory
    I really do not understand much of the above process. The path to a solution happened this way in case others want to follow it.
    1. Googling found references to a rsync_selinux(8) man page
    2. The rsync_selinux man page refered to setting the public_content_rw_t attribute on the rsyncd target directory
    3. Setting the public_content_rw_t on the target directory did not work, but it caused the selinux troubleshooter application to propose the final solution.

  3. #3
    Join Date
    Aug 2005
    Location
    Washington (the state), USA
    Age
    69
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: rsyncd and selinux do not mix

    I upgraded the system to F18 and ran into the problem again.

    This time

    # setsebool -P rsync_full_access 1

    was all that was needed.

  4. #4
    Join Date
    Jun 2010
    Location
    Lost...
    Posts
    1,300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: rsyncd and selinux do not mix

    semanage fcontext -a -t public_content_rw_t /home/<target dir>
    This is definitly wrong! You are relabelling the /home/ directories to a public and rw content. This is insecure, remove this!

    setsebool -P rsync_full_access 1
    That is the way to do. rsyncd will have a rw access of all the files (except security files).

    setsebool -P rsync_anon_write on
    This one is to have an rw access on public_content_rw_t only. Therefore it is not needed if rsync_full_access is enabled.
    :confused:

Similar Threads

  1. Audacity: No Mix or Mix Mono
    By buffet1150 in forum Using Fedora
    Replies: 0
    Last Post: 8th January 2010, 09:15 PM
  2. Mix' / 'Mix mono' won't turn off
    By clifweb in forum Alpha, Beta & Snapshots Discussions (Fedora 10 Only)
    Replies: 0
    Last Post: 8th October 2008, 01:13 PM
  3. rsyncd
    By ajeffco in forum Servers & Networking
    Replies: 4
    Last Post: 5th July 2004, 10:52 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •