Bug 2219617

Summary: [RHEL 8] rsync in Geo-replication fails to sync data from primary to secondary
Product: Red Hat Enterprise Linux 8 Reporter: Shwetha K Acharya <sacharya>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: ASSIGNED --- QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: ---CC: abhishku, lvrabec, mmalik, nknazeko, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: sacharya: needinfo? (sacharya)
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Zdenek Pytela 2023-07-12 08:41:27 UTC 
Can you elaborate a bit on what is happening on the system reporting denials? In particular, I'd like to know:

- Is it the initiator or the target system?
- Is rsync running as a client or a server?
- Is there some new setup on the system in question or a new feature? This permission was never allowed in selinux-policy so the scenario was never expected to work.

We would also like to have audit logs or journal to see details.

Is adding the one reported permission sufficient?

# cat local_rsync.cil
(allow rsync_t shell_exec_t (file (execute)))

# semodule -i local_rsync.cil
<reproduce the scenario>
Comment 7 Zdenek Pytela 2023-07-20 14:12:32 UTC 
I am not aware of any related change in selinux-policy which would effect in removing permissions for the rsync_t domain during RHEL 8 development cycle.
Additional information is required to assess the issue, preferably with full auditing enabled:
https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Also note there is the rsync_client boolean set to off by default, but can turned on on a system where rsync runs as a client:

  # setsebool -P rsync_client on