Trying to cause a denial with rsync and SELinux

Scott Radvan sradvan at redhat.com
Mon Jul 20 01:53:38 UTC 2009 

Hello all,


I'm having troubles invoking _any_ denial whatsoever for rsync related
tasks, in order for me to demonstrate in my book how to then work
around it. 

I've made a custom init script for rsync as there is no existing one in
Fedora 11, so I labeled it initrc_exec_t so that the rsync daemon
transitions to rsync_t:

# ps -eZ | grep rsync
unconfined_u:system_r:rsync_t:s0  326 ?        00:00:00 rsync

According to the information I have, now that it's running as rsync_t,
the following Booleans should have an effect:

allow_rsync_anon_write

	No mattter the state of this Boolean, I can still write to 
	public_content_rw_t files, locally or over the LAN.

rsync_client

	I have very little information on this Boolean and what it
	actually implies, what it requires in terms of labels, etc. but
	no matter its state, rsync operates normally as a client
	reading and writing to a daemonized process on another machine.

rsync_export_all_ro

	Perhaps I'm misinterpreting this one as well, but no matter its
	state, I can read _and_ write the test files in the directory
	specified by the rsync daemon, locally and over the network.

Really, I'm probably misinterpreting these Booleans and their actual
implications, or doing something completely wrong.

I simply need a way that I can get SELinux to give me a denial related
to rsync (running as a daemon) which I can then document and demonstrate
the work-around for. My problem remains that everything works too _well_
and SELinux doesn't seem to be denying any of the access or transfers
I'm performing, whatever the state of these Booleans, based on my
limited understanding of them.

Does anyone have a better understanding of these particular Booleans,
what they actually imply, what labels the files need in order to be
affected by them, any other condition they require to enforce upon the
system...and mainly how I can intentionally invoke a denial based on
one of them?


Thanks in advance,


-- 
Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com

More information about the fedora-selinux-list mailing list