Bug 881993

Summary: rsyncd fails to chdir with autofs mounted nfs directory
Product: Red Hat Enterprise Linux 6 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 6.3CC: borgan, ddumas, dwalsh, ksrot, mmalik
Target Milestone: rcKeywords: TestOnly
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-184.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 03:32:47 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Orion Poplawski 2012-11-29 17:41:04 EST
Description of problem:

Running rsyncd that serves an automounted nfs directory.  I get:

type=AVC msg=audit(1354228225.755:130885): avc:  denied  { search } for  pid=5424 comm="rsync" name="/" dev=autofs ino=12652 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:autofs_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.8.noarch

rsync_use_nfs is on.
Comment 2 Orion Poplawski 2012-11-29 18:11:23 EST
Also, how do I get it to be able to write to the nfs directory?

type=AVC msg=audit(1354230531.020:131120): avc:  denied  { write } for  pid=6958 comm="rsync" name="METEORS" dev=0:1c ino=251527171 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

allow_rsync_anon_write --> on
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> on

I tried turning on allow_rsync_anon_write but that didn't help.
Comment 3 Orion Poplawski 2012-11-29 18:20:32 EST
Eventually needed to add exceptions for:

module rsync-server 1.0;

require {
        type autofs_t;
        type rsync_t;
        type nfs_t;
        class file create;
        class dir { write search add_name };
}

#============= rsync_t ==============
#!!!! This avc can be allowed using the boolean 'rsync_export_all_ro'

allow rsync_t autofs_t:dir search;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:dir { write search add_name };
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:file create;
Comment 4 Miroslav Grepl 2012-11-30 04:39:52 EST
I made rsync as userdom_home_manager to fix these issues. Will backport.
Comment 5 Miroslav Grepl 2012-11-30 04:43:44 EST
(In reply to comment #4)
> I made rsync as userdom_home_manager to fix these issues. 

I meant in Fedora.
Comment 6 Orion Poplawski 2012-11-30 11:52:03 EST
I eventually had to disable dontaudit rules to be able to see:

type=AVC msg=audit(1354294154.636:548): avc:  denied  { write } for  pid=14828 comm="rsync" name=".blah.cp9LNd" dev=0:21 ino=580976863 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file

module rsync-server 1.0;

require {
        type autofs_t;
        type rsync_t;
        type nfs_t;
        class file { write rename create unlink setattr };
        class dir { write search setattr remove_name create add_name };
}

#============= rsync_t ==============
#!!!! This avc is allowed in the current policy

allow rsync_t autofs_t:dir search;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:dir { write search setattr remove_name create add_name };
allow rsync_t nfs_t:file write;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:file { rename create unlink setattr };
Comment 7 Miroslav Grepl 2012-12-03 03:10:25 EST
Yes, it will be covered by new rules.
Comment 10 Orion Poplawski 2012-12-11 10:45:40 EST
Looks good to me.  Thanks!
Comment 13 errata-xmlrpc 2013-02-21 03:32:47 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html