Bug 403241

Summary: Targeted policy breaks rsync as daemon and rsyncd.log logging
Product: Red Hat Enterprise Linux 5 Reporter: Mike Shaver <shaver>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: dwalsh, ebenes
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:06:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
local rsync policy to permit netlink and logging access none

Description Mike Shaver 2007-11-28 18:23:45 UTC 
Description of problem:
The targeted policy prevents rsync_t from manipulating the netlink_route_socket,
which it tries to do in at least some rsyncd configurations (possibly related to
the use of "hosts allow"), and also keeps it from being able to create
/var/log/rsyncd.log or append to it if present.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-30.el5

I worked out a policy that permits these things, with much help from Dominick
Grift, which I'll attach below.  It's my first such policy, and at least one
thing I think might be a sign of a bug in my thinking or the logging.if stuff,
but I'm sure someone with more experience here can quickly make it not suck. :)

To wit: the lines marked with "XXX logging_log_file" are needed to satisfy
dependencies of logging_log_file's expansion, so I would naively expect them to
be gen_require'd or something from within logging_log_file itself.

I also use the following fcontext; not sure if it's suitable for being the default:

/var/log/rsyncd.log          --   gen_context(system_u:object_r:rsync_log_t,s0)
Comment 1 Mike Shaver 2007-11-28 18:23:45 UTC 
Created attachment 271581 [details]
local rsync policy to permit netlink and logging access
Comment 2 Mike Shaver 2007-11-28 18:26:21 UTC 
Because I am a rockstar nonpareil, I uploaded the version without the XXX
markers.  The lines in question are these:

        class filesystem { associate }; # XXX logging_log_file?
        class dir all_dir_perms; # XXX logging_log_file
Comment 3 Daniel Walsh 2007-12-01 13:12:35 UTC 
Excellent job.

Your fixes will be in U2 policy.

If you use 
policy_module(rsynclocal,1.0)
instead of 
module rsynclocal 1.0;

You will get the gen_requires for free.

Also in Rawhide and Fedora 8 we are using

auth_use_nsswitch(rsync_t) 

Which gives you the netlink_route_socket  allow rule

Fixed in selinux-policy-2.4.6-107.el5.src.rpm
Comment 4 Daniel Walsh 2008-03-05 22:00:09 UTC 
Fixed in selinux-policy-2.4.6-125
Comment 5 RHEL Program Management 2008-03-05 22:07:28 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 errata-xmlrpc 2008-05-21 16:06:12 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html