Bug 458014

Summary: rsync -X does not preserve SELinux context
Product: [Fedora] Fedora Reporter: Murray McAllister <mmcallis>
Component: rsyncAssignee: Simo Sorce <ssorce>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 10CC: dwalsh, mstuff, pahan, vdanen
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-18 06:17:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
See Comment #7
none
See Comment #7
none
See Comment #16
none
RsyncMM>MOMroot>root none

Description Murray McAllister 2008-08-06 05:53:45 UTC
Description of problem:

Apologies if this is user error and not a bug.

rsync -X (or rsync -avHPAX) does not preserve the SELinux context.

Version-Release number of selected component (if applicable):

Running rsync from:

* Fedora release 9 (Sulphur) 2.6.25.11-97.fc9.i686 (running in VirtualBox 1.6.0)
* rsync-3.0.3-0.fc9.i386
* openssh-5.0p1-3.fc9.i386
* openssh-clients-5.0p1-3.fc9.i386
* openssh-server-5.0p1-3.fc9.i386
* openssh-askpass-5.0p1-3.fc9.i386

* selinux-policy-3.3.1-79.fc9.noarch
* selinux-policy-devel-3.3.1-79.fc9.noarch
* selinux-policy-targeted-3.3.1-79.fc9.noarch
* libselinux-python-2.0.67-4.fc9.i386
* libselinux-2.0.67-4.fc9.i386
* policycoreutils-2.0.52-5.fc9.i386

Syncing to:

* Red Hat Enterprise Linux Client release 5.2 (Tikanga) (2.6.18-92.1.1.el5 i686)
* rsync-2.6.8-3.1
* openssh-askpass-4.3p2-26.el5
* openssh-server-4.3p2-26.el5
* openssh-clients-4.3p2-26.el5
* openssh-4.3p2-26.el5

* libselinux-devel-1.33.4-5.el5
* libselinux-python-1.33.4-5.el5
* selinux-policy-2.4.6-137.el5
* libselinux-1.33.4-5.el5
* selinux-policy-targeted-2.4.6-137.el5
* policycoreutils-1.33.12-14.el5


How reproducible:

Always

Steps to Reproduce:
1. Create a file in your home directory.
2. Run "chcon -t httpd_sys_content_t filename"
3. rsync the file using the "-avHPAX" options.
4. Check the SELinux context on the file on the remote machine.
  
Actual results:

.file2.D5JTYo: rsync_xal_set: lsetxattr security.selinux failed: Invalid argument
rsync error: some files could not be transferred (code 23) at main.c(1040) [sender=3.0.3]

The file transfers correctly, but is labeled with the default_t type.

Expected results:

The file is labeled with the httpd_sys_content_t type.

Additional info:

I tried doing this between directories on the same machine but the context was not preserved.

Looks similar to <https://bugzilla.samba.org/show_bug.cgi?id=5356>.

Comment 1 Murray McAllister 2008-08-06 06:17:52 UTC
There are no AVC denials on either system.

Comment 2 morgan read 2009-05-01 11:51:17 UTC
Yup, I can confirm this.

Source
$ uname -r
2.6.27.21-170.2.56.fc10.i686
Target
# uname -r
2.6.26.8-57.fc8

rsync: rsync_xal_set: lsetxattr(".","security.selinux") failed: Invalid argument (22)

Here's links to my posts to rsync mail list that describes an -X failure to preserve SELinux with error (22):
http://lists.samba.org/archive/rsync/2009-April/022996.html
http://lists.samba.org/archive/rsync/2009-April/023150.html

Here's a bug I'm about to re-open because I don't see "that the "lsetxattr" failure is caused by a fundamental change in the file system data structures implementing extended SELinux file attributes between Linux kernels" 2.6.26 and 2.6.27, which is the implication of the reason for closing the bug:
https://bugzilla.samba.org/show_bug.cgi?id=5356

Comment 3 morgan read 2009-05-01 12:16:56 UTC
Couldn't re-open, so here's the new bug:
https://bugzilla.samba.org/show_bug.cgi?id=6312

Comment 4 Simo Sorce 2009-05-01 12:27:33 UTC
You have to understand that SELinux labels are not defined in the kernel, but *loaded* in the kernel at startup sourcing from the policy files.

So first test would be do rsync from one directory to another of the same machine (as root with all necessary capabilities) and checking if SELinux attributes are preserved (try on both machines). If there are failures on the same machine then we can start considering whether it is an rsync bug or a bad SELinux policy preventing rsync from doing its job correctly.

Comment 5 morgan read 2009-05-02 06:16:13 UTC
Created attachment 342167 [details]
See Comment #7

Comment 6 morgan read 2009-05-02 06:33:38 UTC
Created attachment 342168 [details]
See Comment #7

Ooops, looks like that should have been see Comment #7

Comment 7 morgan read 2009-05-02 06:34:30 UTC
Done that, output attached.  Source machine is RsyncMM and Target is RsyncMOM.

Sort answer, no - no failures of either machine.

Ran "rsync -avzAXH --delete-after" on each machine.

But, from memory - a few months ago - I did run rsync -avzAXH against /etc on the Target machine (MOM), more or less as attached, and did get some errors.  They may have been the (95) failures, but those were all beagle problems which wouldn't be relevant to /etc .  At that time I was mounting the Target drive (bigdisk) via gnome vfs.  Now its mounted at boot with the options "defaults,acl,user_xattr" in fstab.

Comment 8 Simo Sorce 2009-05-02 14:35:40 UTC
*** Bug 496552 has been marked as a duplicate of this bug. ***

Comment 9 Simo Sorce 2009-05-02 14:38:36 UTC
Error 22 is EINVAL, can you please post which selinux policy you have installed on both machine and exactly what file causes that error?
I really suspect it is because one of the 2 systems has a label the other knows nothing about.
Let's try to see if this is true.

Comment 10 Murray McAllister 2009-05-03 00:38:09 UTC
Syncing to a directory on the same machine seems to preserve the context now, but an error still occurs:

* Red Hat Enterprise Linux Client release 5.3 (Tikanga)
* rsync-2.6.8-3.1 (same version as comment #0)
* selinux-policy-2.4.6-203.el5
* selinux-policy-targeted-2.4.6-203.el5

1. cd
2. touch file1 && chcon -t httpd_sys_content_t file1 && mkdir b
3. ls -lZ file1
-rw-rw-r--  mmcallis mmcallis user_u:object_r:httpd_sys_content_t file1
4. ls -ldZ b
drwxrwxr-x  mmcallis mmcallis user_u:object_r:user_home_t      b
5. rsync -avHPAX file1 b/
building file list ... 
1 file to consider
file1
           0 100%    0.00kB/s    0:00:00 (xfer#1, to-check=0/1)
set_acl: sys_acl_get_file(.file1.T8WYMk, SMB_ACL_TYPE_ACCESS): Operation not supported

sent 198 bytes  received 42 bytes  480.00 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files could not be transferred (code 23) at main.c(892) [sender=2.6.8]
6. ls -lZ b/file1 
-rw-rw-r--  mmcallis mmcallis user_u:object_r:httpd_sys_content_t b/file1 (context preserved)

Comment 11 Murray McAllister 2009-05-03 00:38:53 UTC
bah, forget it was reported against Fedora. Please ignore comment #10

Comment 12 Murray McAllister 2009-05-03 00:48:35 UTC
On Fedora 10 with:
* rsync-3.0.5-1.fc10.i386
* selinux-policy-3.5.13-57.fc10.noarch
* selinux-policy-targeted-3.5.13-57.fc10.noarch

doing same steps as comment #10

$ rsync -avHPAX file1 b/
sending incremental file list
file1
           0 100%    0.00kB/s    0:00:00 (xfer#1, to-check=0/1)

sent 125 bytes  received 31 bytes  312.00 bytes/sec
total size is 0  speedup is 0.00
[murray@localhost ~]$ ls -lZ b/file1 
-rw-rw-r--  murray murray unconfined_u:object_r:user_home_t:s0 b/file1

looks like no errors and context not preserved.

Comment 13 Murray McAllister 2009-05-03 00:52:05 UTC
From comment #4, when done on Fedora 10 as the root user, the context is preserved when syncing to a directory on the local machine.

Comment 14 Simo Sorce 2009-05-03 14:54:31 UTC
Was the test on RHEL done as user or as root ?

Comment 15 Murray McAllister 2009-05-03 22:25:40 UTC
comment #10 was done as a standard user (user_u:system_r:unconfined_t)

Comment 16 morgan read 2009-05-04 09:49:32 UTC
Created attachment 342288 [details]
See Comment #16

Re Comment #9

[root@morgansoldmachine ~]# rpm -q selinux-policy
selinux-policy-3.0.8-127.fc8
[morgan@morgansmachine Desktop]$ rpm -q selinux-policy
selinux-policy-3.5.13-55.fc10.noarch

"exactly what file causes that error"...
See attachment, too many to mention - too many for my terminal window, added back in the command at top of terminal out-put

Comment 17 Simo Sorce 2009-05-04 12:59:46 UTC
You can't set selinux labels as user it's the whole point of MAC (Mandatory Access Control), if you could set labels yourself SELinux would be useless.

I am marking this as NOTABUG unless setting SELinux attributes fails as root.

Comment 18 Murray McAllister 2009-05-04 21:55:10 UTC
I believe it is acceptable for a user to set certain (not all, of course) labels on files in their home directories, such as httpd_sys_content_t on their public_html/ directory. Will try to open a bug against selinux-policy; diffing rsync.te from Fedora and Red Hat Enterprise Linux showed policy version shipped with Red Hat Enterprise Linux having more rules, so maybe that is the problem?

Thanks.

Comment 19 Murray McAllister 2009-05-04 21:56:06 UTC
Hmm, maybe not "acceptable" but it works.

Comment 20 morgan read 2009-05-05 11:00:05 UTC
Created attachment 342435 [details]
RsyncMM>MOMroot>root

Re Comment #17

Sorry, I'm confused - how am I setting selinux labels; how do I avoid doing so?  I'm running rsync as root, not user - unless sudo counts as user rather than root?  If I can't avoid setting selinux labels as user running rsync, what's the point of -X?

Attached is the same out put as for Comment #16, but run simply root to root - so how can I be setting anything as any user, other than root?

Comment 21 Simo Sorce 2009-05-05 12:31:54 UTC
(In reply to comment #20)
> Created an attachment (id=342435) [details]
> RsyncMM>MOMroot>root
> 
> Re Comment #17
> 
> Sorry, I'm confused - how am I setting selinux labels; how do I avoid doing so?
>  I'm running rsync as root, not user - unless sudo counts as user rather than
> root?  If I can't avoid setting selinux labels as user running rsync, what's
> the point of -X?
> 
> Attached is the same out put as for Comment #16, but run simply root to root -
> so how can I be setting anything as any user, other than root?  

Sorry Morgan,
your and Murray reports got mingled and I assumed both of you used a normal user after Murray reply.

Now back to the file list, can you pick one of the files that gives you an error and do an ls -aLZ on the source machine and report what SELinux context it reports ?

if you try as root to use chcon to set that same SELinux context on a file on the target machine does it succeed? Or do you get an error? if so what error ?

To me it seem all user browser confinement stuff and if I am right you will find that chcon will fail on the target machine simply because these labels are unknown there. Can you confirm please ?

Comment 22 Bug Zapper 2009-06-10 02:23:15 UTC
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 23 Bug Zapper 2009-07-14 18:22:07 UTC
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 24 morgan read 2009-07-16 22:58:10 UTC
I've been running f10 for my comments above - so please re-open.  I'll get onto it soon...  Busy, busy, busy.  Thanks

Comment 25 Bug Zapper 2009-11-18 12:38:11 UTC
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 26 Bug Zapper 2009-12-18 06:17:09 UTC
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.