selinux and rsync

Paul Howarth paul at city-fan.org
Thu Jul 9 06:19:52 UTC 2009


On Thu, 9 Jul 2009 13:15:08 +1000
Scott Radvan <sradvan at redhat.com> wrote:

> Hi all,
> 
> 
> Having a bit of trouble with rsync on F11 for the managing confined
> services book I am working on.
> 
> I am trying to demonstrate the allow_rsync_anon_write boolean as a
> configuration example by invoking a denial and detailing the
> subsequent work-around, but rsyncd is happily letting me anonymously
> read and write files across the network no matter the state of the
> boolean.
> 
> The default install of F11 I'm using as a server has a simple 'files'
> rsyncd module (in daemon mode) set up in rsyncd.conf which by itself
> should allow access anonymously, but my understanding is that SELinux
> should still over-ride this and stop anonymous writes even with this
> loose rsyncd setup.
> 
> /etc/rsyncd.conf:
> 
> log file = /var/log/rsyncd.log
> pid file = /var/run/rsyncd.pid
> local file = /var/run/rsync.lock
> 
> [files]
>         path = /srv/files
>         comment = file area
>         read only = false
> 
> 
> >From the F11 client:
> 
> $ rsync -avHPAX 100M_file <server_addr>::files
> sending incremental file list
> 100M_file
>    104857600 100%   52.37MB/s    0:00:01 (xfer#1, to-check=0/1)
> 
> sent 104870493 bytes  received 27 bytes  41948208.00 bytes/sec
> total size is 104857600  speedup is 1.00
> 
> $
> 
> My rsync command is entered so that it will preserve extended
> attributes (-X) and ACLs (-A), as shown in rsync(1).
> 
> But I am getting no denials or errors, SELinux does not seem to be
> having a problem with me doing anonymous writes/reads with
> allow_rsync_anon_write --> off
> 
> Perhaps I'm doing something wrong altogether, or misinterpreting this
> boolean, but I would have thought SELinux would have a problem with me
> performing this rsync operation while that boolean is off.
> 
> Further, rsync_selinux(8) says:
> 
> "SELinux requires files to have an extended attribute to define the
> file type. Policy governs the access daemons have to these files. If
> you want to share files using the rsync daemon, you must label the
> files and directories public_content_t"
> 
> But my manually-created path for rsync files is var_t, as is the file
> I copied over, with no denial mentioning public_content_t - is this
> man page out of date? 
> 
> My problem is that it all works too easily! I would have thought
> SELinux would not at all be happy with what I'm doing, but I'm yet to
> get a single denial.

The boolean controls the rsync daemon's ability to write to
public_content_rw_t files. The "anon" part of the boolean's name is
historical baggage really - it's nothing to do with how the rsync
daemon's authentication is set up.

Paul.




More information about the fedora-selinux-list mailing list