xinetd rsync --daemon problems

Chuck Anderson cra at WPI.EDU
Thu Oct 11 22:01:25 UTC 2007 

I'm using Fedora Core 6, and trying to start a rsync daemon via 
xinetd.  The default configuration is:

# default: off
# description: The rsync server is a good addition to an ftp server, as it \
#       allows crc checksumming etc.
service rsync
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/bin/rsync
        server_args     = --daemon
        log_on_failure  += USERID
}

With this rsyncd.conf:

motd file = /etc/rsyncd.motd
pid file = /var/run/rsyncd.pid
port = 873
uid = rsyncd
gid = mirror
use chroot = yes
max connections = 10
log file = /var/log/rsyncd.log
read only = yes
hosts allow = 127.0.0.1, ::1, etc....
#hosts deny = 0.0.0.0/0, ::
ignore nonreadable = yes
transfer logging = yes
timeout = 600
dont compress = *

[fedora-linux-core]
        path = /srv/ftp/pub/fedora/linux/core
        comment = Fedora Linux Core     

[fedora-linux-core-updates]
        path = /srv/ftp/pub/fedora/linux/core/updates
        comment = Fedora Linux Core Updates    

[fedora-linux-extras]
        path = /srv/ftp/pub/fedora/linux/extras
        comment = Fedora Linux Extras     

[fedora-linux-core-test]
        path = /srv/ftp/pub/fedora/linux/core/test
        comment = Fedora Linux Core Test    

[fedora-linux-releases]
        path = /srv/ftp/pub/fedora/linux/releases
        comment = Fedora Linux Releases     

[fedora-linux-development]
        path = /srv/ftp/pub/fedora/linux/development
        comment = Fedora Linux Development     

[fedora-enchilada]
        path = /srv/ftp/pub/fedora
        comment = Fedora - The whole enchilada   

[fedora-linux-updates]
        path = /srv/ftp/pub/fedora/linux/updates
        comment = Fedora Linux Updates     

[fedora-web]
        path = /srv/ftp/pub/fedora/web
        comment = Web content for Fedora Linux mirrors  



I get these AVCs when running from xinetd and making a client 
connection that I don't get if I start the daemon directly via "rsync 
--daemon" as root:

type=AVC msg=audit(1192132336.713:3464): avc:  denied  { lock } for  
pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435 
scontext=user_u:system_r:rsync_t:s0 
tcontext=root:object_r:var_run_t:s0 tclass=file

type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221 
success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0 
ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" 
subj=user_u:system_r:rsync_t:s0 key=(null)
type=AVC_PATH msg=audit(1192132336.713:3464):  
path="/var/run/rsyncd.lock"

type=AVC msg=audit(1192132400.044:3465): avc:  denied  { bind } for  
pid=8499 comm="rsync" scontext=user_u:system_r:rsync_t:s0 
tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket

type=SYSCALL msg=audit(1192132400.044:3465): arch=40000003 syscall=102 
success=no exit=-13 a0=2 a1=bf8f4674 a2=4df50ff4 a3=3 items=0 
ppid=8167 pid=8499 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" 
subj=user_u:system_r:rsync_t:s0 key=(null)

I tried creating and loading a policy module:

# grep "rsync" /var/log/audit/audit.log | audit2allow -M rsyncd
# semodule -i rsyncd.pp

Here is rsyncd.te:

module rsyncd 1.0;

require {
        type var_run_t;
        type rsync_t;
        class netlink_route_socket create;
        class file { read write };
}

#============= rsync_t ==============
allow rsync_t self:netlink_route_socket create;
allow rsync_t var_run_t:file { read write };

But I still get these AVCs:

type=AVC msg=audit(1192139751.238:3586): avc:  denied  { bind } for  
pid=9311 comm="rsync" scontext=user_u:system_r:rsync_t:s0 
tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket

type=SYSCALL msg=audit(1192139751.238:3586): arch=40000003 syscall=102 
success=no exit=-13 a0=2 a1=bfbb6144 a2=4df50ff4 a3=3 items=0 
ppid=8732 pid=9311 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" 
subj=user_u:system_r:rsync_t:s0 key=(null)

Additionally, when using xinetd I don't ever get any log messages in 
/var/log/rsyncd.log like I do when I run "rsync --daemon" directly:

2007/10/11 17:08:01 [8613] rsyncd version 2.6.9 starting, listening on port 873
2007/10/11 17:08:13 [8616] connect from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15)
2007/10/11 17:08:13 [8616] rsync on fedora-enchilada/linux/ from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15)
2007/10/11 21:08:13 [8616] building file list
2007/10/11 21:08:13 [8616] sent 1629 bytes  received 106 bytes  total size 19

More information about the fedora-selinux-list mailing list