Bug 170405
| Summary: | rsync does not have, but requires, sys_chroot for default configuration | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Coulthart <davec> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.27.1-2.6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-10-18 14:40:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-*-1.27.1-2.6 Just installed selinux-policy-targeted-1.27.1-2.6 from fedora-updates and confirmed rsync now works with the default "use chroot = yes". Please go ahead and close the ticket with the appropriate resolution status. Thanks for fixing this. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050930 Firefox/1.0.7 Description of problem: I am attempting to run a standard public rsync repository. The default rsyncd.conf does not specify whether to use a chroot or not, so (according to the man page) the default is "use chroot = yes." Unfortunately according to the audit.log, selinux's targeted policy does not allow /usr/bin/rsync to perform a chroot: type=AVC msg=audit(1128980944.827:7307): avc: denied { sys_chroot } for pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability This results in the following error message when a client tries to communicate with the rsync server: client $ rsync server::rpath @ERROR: chroot failed rsync error: error starting client-server protocol (code 5) at main.c(1171) Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.3, rsync-2.6.4-3 How reproducible: Always Steps to Reproduce: 1. Setup an updated FC 4 machine with SELinux enabled with targeted policy & active enforcement. 2. Enable rsync in /etc/xinetd.conf/rsync (disable = no) 3. Configure /etc/rsyncd.conf to serve up a module (rsync policy allows it access to /srv/rsync) 4. Try to get a directory listing of that module from a client machine: $ rsync server::module Actual Results: Client receives the error message: @ERROR: chroot failed rsync error: error starting client-server protocol (code 5) at main.c(1171) Server logs the following in audit.log: type=AVC msg=audit(1128980944.827:7307): avc: denied { sys_chroot } for pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability Expected Results: SELinux should allow rsync to perform a chroot and the client should successfully receive a directory listing from the rsync server. Additional info: