rsync as backup from f11 to F10 - issues

[Mike Cloaked]

I have been running backups using rsync from various machines on my LAN onto
a main (F10) machine into which is plugged a usb external drive that takes
the backup files.

This year the machine into which the backup drive is plugged has been
running F10 fully up to date, and with SELinux fully enforcing.

Machines on the LAN have been running backups across the network using an
rsync command within a script which essentially does:
rsync --delete -aXH --exclude blah /opt
home1:/media/usbdrive/BACKUPS/myhostname
and similar for other directories.

This has worked fine until I installed F11 on some of the  machines in the
LAN, with ext4 filesystems on them.

Trying the same thing in this case gave AVC denials on the machine (running
F10) to which the the external usb drive was attached (and with an ext3
filesystem to take the backups)

The AVC contained:
Summary
SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. 
Detailed Description
SELinux denied access requested by rsync. It is not expected that this
access is required by rsync and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access. 
Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report against this package. 
Additional Information
Source Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Objects:  None [ capability2 ]
Source:  rsync
Source Path:  /usr/bin/rsync
Port:  <Unknown>
Host:  home1.xxxxxxxxx
Source RPM Packages:  rsync-3.0.6-0.fc10
Target RPM Packages:  Policy RPM:  selinux-policy-3.5.13-67.fc10Selinux
Enabled:  TruePolicy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  home1.xxxxxxxxx
Platform:  Linux home1.xxxxxxxxxx 2.6.27.29-170.2.78.fc10.i686 #1 SMP Fri
Jul 31 04:40:15 EDT 2009 i686 i686
Alert Count:  72
First Seen:  Tue 11 Aug 2009 08:45:24 PM BST
Last Seen:  Tue 11 Aug 2009 08:57:08 PM BST
Local ID:  2f39a50c-7f62-4e03-aa28-5826d349f52a
Line Numbers:  
Raw Audit Messages :

node=home1.xxxxxxxxxxxxxx type=AVC msg=audit(1250020628.16:1141): avc:
denied { mac_admin } for pid=18683 comm="rsync" capability=33
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=capability2 

node=home1.xxxxxxxxxxxxxx type=SYSCALL msg=audit(1250020628.16:1141):
arch=40000003 syscall=227 success=no exit=-22 a0=bfc81358 a1=9e3808c
a2=9e38068 a3=24 items=0 ppid=18663 pid=18683 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=145 comm="rsync"
exe="/usr/bin/rsync"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 

This seems to stem from a context incompatibility between F10 and F11.

My work-around is as follows:

I have made a new ext4 filesystem on the external drive using mke2fs -t ext4
and labelling it using e2label, and then running the backup with the drive
attached to a machine running F11 with SElinux enforcing and which has an
ext4 filesystem for / and /opt. 

Now I am currently running a backup from one of the other machines on the
LAN which is also running F11 with SElinux enforcing and so far I am not
seeing AVC denials.

My question is whether there is a workaround for the original scenario
backup up files from the F11 machines onto an external drive with ext3
connected to an F10 machine with ext3 filesystem. Or is the filesystem a red
herring and the problem stemming from selinux alone?

You may ask why I need to copy the extended attributes - it surely makes
life easier if I restore files later.
-- 
View this message in context: http://www.nabble.com/rsync-as-backup-from-f11-to-F10---issues-tp24925988p24925988.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.