SELinux in the way of automated rsync

Daniel J Walsh dwalsh at redhat.com
Wed Aug 2 19:07:40 UTC 2006 

J.L. Coenders wrote:
> On Tuesday 01 August 2006 18:15, Paul Howarth wrote:
>   
>> J.L. Coenders wrote:
>>     
>>> On Tuesday 01 August 2006 13:02, Paul Howarth wrote:
>>>       
>>>> J.L. Coenders wrote:
>>>>         
>>>>> Hi,
>>>>> I am trying to automate a backup with rsync to a second disc using a
>>>>> cronjob. I am running fc5. The script works fine when I run it
>>>>> manually, but if I try to run it as a cronjob it fails with a lot of
>>>>> rsync errors. When looking at the system logs, I suspect that SELinux
>>>>> is blocking rsync. How do I correct this?
>>>>>
>>>>> Messages are like this:
>>>>>
>>>>> Aug  1 09:09:43 localhost kernel: audit(1154416183.900:651): avc: 
>>>>> denied { search } for  pid=19905 comm="rsync" name="/" dev=sda1 ino=2
>>>>> scontext=system_u:system_r:rsync_t:s0
>>>>> tcontext=system_u:object_r:default_t:s0 tclass=dir
>>>>>           
>>>> That may be a labelling problem on your system.
>>>>
>>>>         
>>>>> Could anyone show me to some easy to understand explanation of SELinux?
>>>>> So far I only find quite complex ones.
>>>>>           
>>>> SELinux isn't simple, so you're unlikely to find a simple explanation
>>>> for it.
>>>>
>>>> What is the top-level directory you are trying to copy using rsync?
>>>>
>>>> Paul.
>>>>         
>>> Hehehe, thanks, I already understood that it probably would not be
>>> simple. One of the Linux magazines I consulted said something similar to
>>> that too.
>>>
>>> I am trying to rsync my home, /etc and /var directory to a backup drive.
>>> So that would be /home/user, /etc and /var.
>>>       
>> There's no way the standard SELinux policy is going to let you do that,
>> as there are loads of "sensitive" files there that people shouldn't
>> normally be able to access using the rsync service. Given the number of
>> different file types involved, particularly for /etc and /var, it's not
>> practical to change the rsync policy ro allow access to all of these files.
>>
>> One way to fix this would be to disable the transition to the rsync_t
>> domain, so that rsync ran "unconfined" by SELinux when run from cron,
>> just as it does when run manually.
>>
>> That's a bit of a sledgehammer approach though. Can you tell us exactly
>> how you are trying to do this? rsync command directly in crontab file?
>> Are you running rsync locally or over the network? Are you using a
>> wrapper script?
>>
>> And can you post the output of: "sestatus"
>>
>> Paul.
>>     
>
> Btw, if anyone of you has another way of doing this, I am very willing to 
> explore the options.
>
> Thanks,
> Jeroen
>   
rsync policy is for the rsync server not for running it as a client.

The only domain_transition I see is from initrc_t, so if some how your
cron daemon did not transition this could cause the mess up.

Dan

More information about the fedora-list mailing list