Bug 1263770
| Summary: | rsyncd getting AVC denials despite rsync_export_all_ro | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jacob Welsh <jwelsh-rhbz> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Zarsky <jzarsky> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | jzarsky, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-66.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:22:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Following boolean allows that kind of access, but it also allows read-write access to all files / directories on the file-system, which might be a security problem:
* rsync_full_access
# sesearch -s rsync_t -t auditd_etc_t -c file -p getattr -A -C
Found 1 semantic av rules:
DT allow rsync_t non_auth_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ rsync_full_access ]
# sesearch -s rsync_t -t default_context_t -c file -p getattr -A -C
Found 1 semantic av rules:
DT allow rsync_t non_auth_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ rsync_full_access ]
# sesearch -s rsync_t -t semanage_store_t -c file -p getattr -A -C
Found 2 semantic av rules:
DT allow rsync_t non_auth_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ rsync_full_access ]
DT allow rsync_t semanage_store_t : file { ioctl write create getattr lock append open } ; [ rsync_full_access ]
# sesearch -s rsync_t -t semanage_store_t -c lnk_file -p getattr -A -C
Found 1 semantic av rules:
DT allow rsync_t non_auth_file_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ rsync_full_access ]
#
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: With rsyncd configured to serve "/" as read-only and the rsync_export_all_ro boolean set, it still gets denials when certain locations such as /etc/audit/ and /etc/selinux/ are accessed: type=SYSCALL msg=audit(09/16/2015 06:06:34.568:19886) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7ffd67cf3140 a1=0x7ffd67cf30b0 a2=0x7ffd67cf30b0 a3=0x0 items=0 ppid=1241 pid=20625 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rsync exe=/usr/bin/rsync subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(09/16/2015 06:06:34.568:19886) : avc: denied { getattr } for pid=20625 comm=rsync path=/etc/selinux/targeted/policy/policy.29 dev="dm-0" ino=1342302 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file Version-Release number of selected component (if applicable): 3.13.1-23.el7_1.13 Additional info: "audit2allow" yields the following rules: allow rsync_t auditd_etc_t:file getattr; allow rsync_t default_context_t:file getattr; allow rsync_t semanage_store_t:file getattr; allow rsync_t semanage_store_t:lnk_file getattr;