Bug 170405

Summary: rsync does not have, but requires, sys_chroot for default configuration
Product: [Fedora] Fedora Reporter: David Coulthart <davec>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-18 14:40:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Coulthart 2005-10-11 13:32:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050930 Firefox/1.0.7

Description of problem:
I am attempting to run a standard public rsync repository.  The default rsyncd.conf does not specify whether to use a chroot or not, so (according to the man page) the default is "use chroot = yes."  Unfortunately according to the audit.log, selinux's targeted policy does not allow /usr/bin/rsync to perform a chroot:

type=AVC msg=audit(1128980944.827:7307): avc:  denied  { sys_chroot } for  pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability

This results in the following error message when a client tries to communicate with the rsync server:

client $ rsync server::rpath
@ERROR: chroot failed
rsync error: error starting client-server protocol (code 5) at main.c(1171)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.3, rsync-2.6.4-3

How reproducible:
Always

Steps to Reproduce:
1. Setup an updated FC 4 machine with SELinux enabled with targeted policy & active enforcement.
2. Enable rsync in /etc/xinetd.conf/rsync (disable = no)
3. Configure /etc/rsyncd.conf to serve up a module (rsync policy allows it access to /srv/rsync)
4. Try to get a directory listing of that module from a client machine:
$ rsync server::module
  

Actual Results:  Client receives the error message:

@ERROR: chroot failed
rsync error: error starting client-server protocol (code 5) at main.c(1171)

Server logs the following in audit.log:
type=AVC msg=audit(1128980944.827:7307): avc:  denied  { sys_chroot } for  pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability

Expected Results:  SELinux should allow rsync to perform a chroot and the client should successfully receive a directory listing from the rsync server.

Additional info:

Comment 1 Daniel Walsh 2005-10-17 18:14:31 UTC
Fixed in selinux-policy-*-1.27.1-2.6


Comment 2 David Coulthart 2005-10-18 14:39:23 UTC
Just installed selinux-policy-targeted-1.27.1-2.6 from fedora-updates and
confirmed rsync now works with the default "use chroot = yes".  Please go ahead
and close the ticket with the appropriate resolution status.  Thanks for fixing
this.