selinux and rsync

Scott Radvan sradvan at redhat.com
Thu Jul 9 03:15:08 UTC 2009 

Hi all,


Having a bit of trouble with rsync on F11 for the managing confined
services book I am working on.

I am trying to demonstrate the allow_rsync_anon_write boolean as a
configuration example by invoking a denial and detailing the subsequent
work-around, but rsyncd is happily letting me anonymously read and
write files across the network no matter the state of the boolean.

The default install of F11 I'm using as a server has a simple 'files'
rsyncd module (in daemon mode) set up in rsyncd.conf which by itself
should allow access anonymously, but my understanding is that SELinux
should still over-ride this and stop anonymous writes even with this
loose rsyncd setup.

/etc/rsyncd.conf:

log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
local file = /var/run/rsync.lock

[files]
        path = /srv/files
        comment = file area
        read only = false


>From the F11 client:

$ rsync -avHPAX 100M_file <server_addr>::files
sending incremental file list
100M_file
   104857600 100%   52.37MB/s    0:00:01 (xfer#1, to-check=0/1)

sent 104870493 bytes  received 27 bytes  41948208.00 bytes/sec
total size is 104857600  speedup is 1.00

$

My rsync command is entered so that it will preserve extended attributes
(-X) and ACLs (-A), as shown in rsync(1).

But I am getting no denials or errors, SELinux does not seem to be
having a problem with me doing anonymous writes/reads with
allow_rsync_anon_write --> off

Perhaps I'm doing something wrong altogether, or misinterpreting this
boolean, but I would have thought SELinux would have a problem with me
performing this rsync operation while that boolean is off.

Further, rsync_selinux(8) says:

"SELinux requires files to have an extended attribute to define the
file type. Policy governs the access daemons have to these files. If
you want to share files using the rsync daemon, you must label the
files and directories public_content_t"

But my manually-created path for rsync files is var_t, as is the file I
copied over, with no denial mentioning public_content_t - is this man
page out of date? 

My problem is that it all works too easily! I would have thought
SELinux would not at all be happy with what I'm doing, but I'm yet to
get a single denial.

What am I doing wrong?


Thanks,


-- 
Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com

More information about the fedora-selinux-list mailing list