This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1290845 - rsyncd seems to be blocked from writing to rsync_data_t
rsyncd seems to be blocked from writing to rsync_data_t
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-11 11:09 EST by Tom Hughes
Modified: 2016-01-04 09:21 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-04 09:13:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom Hughes 2015-12-11 11:09:34 EST
Description of problem:

I'm trying to allow rsyncd to write to a particular directory so, per the manual page I have labelled that directory as rsync_data_t but it still doesn't seem to work and reports AVCs:

---
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.860:413978): avc:  denied  { setattr } for  pid=23953 comm="rsync" name="emscote.compton.nu" dev="vda3" ino=1080028 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=dir permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.877:413979): avc:  denied  { write } for  pid=23954 comm="rsync" name="emscote.compton.nu" dev="vda3" ino=1080028 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=dir permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.877:413980): avc:  denied  { add_name } for  pid=23954 comm="rsync" name=".cert.pem.avKlvq" scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=dir permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.877:413981): avc:  denied  { create } for  pid=23954 comm="rsync" name=".cert.pem.avKlvq" scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=file permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.878:413982): avc:  denied  { write } for  pid=23954 comm="rsync" path="/emscote.compton.nu/.cert.pem.avKlvq" dev="vda3" ino=1079575 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=file permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.878:413983): avc:  denied  { setattr } for  pid=23954 comm="rsync" name=".cert.pem.avKlvq" dev="vda3" ino=1079575 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=file permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.878:413984): avc:  denied  { remove_name } for  pid=23954 comm="rsync" name=".cert.pem.avKlvq" dev="vda3" ino=1079575 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=dir permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.878:413985): avc:  denied  { rename } for  pid=23954 comm="rsync" name=".cert.pem.avKlvq" dev="vda3" ino=1079575 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=file permissive=1
----
time->Fri Dec 11 15:57:54 2015
type=AVC msg=audit(1449849474.878:413986): avc:  denied  { unlink } for  pid=23954 comm="rsync" name="cert.pem" dev="vda3" ino=1079566 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_data_t:s0 tclass=file permissive=1


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-155.fc23.noarch
Comment 1 Miroslav Grepl 2016-01-04 09:13:17 EST
rsync_selinux(8) man page could help you here.

See "SHARING FILES" section.

Thank you.
Comment 2 Tom Hughes 2016-01-04 09:21:52 EST
Well not really, because this very definitely isn't "public content" that I want things like web servers to be able to even read, let along write.

I simply want rsync to be able to write to the directory. No need to share with any other (confined) domains. So I read that manual page and this section:

       rsync_data_t

       - Set files with the rsync_data_t type, if you want to treat the  files
       as rsync content.

and set the context on the directory accordingly.

Is "rsync content" not content that rsync can access?

Note You need to log in before you can comment on or make changes to this bug.