Bug 168033 - Design of rsync policy misconceived
Design of rsync policy misconceived
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-09-11 01:52 EDT by Jonathan S. Shapiro
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.27.1-2.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-20 05:23:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jonathan S. Shapiro 2005-09-11 01:52:10 EDT
The recent update to the rsyncd in -targeted seems to me to be ill conceived.
I'm filing this as a security bug because the effect of the new policy is to get
people to disable it in whole or in part.

Our server configuration is fairly typical of those that use rsyncd: we have
trees that are available via rsyncd that are ALSO available via the webserver.

There are two problems with using the ftpd_anon_t context for rsync:

  1. The name makes no bloody sense, which is a security flaw in its
     own right
  2. In our case, the files in question also need to be httpd_sys_content_t,
     and they cannot be both.

I'm struck that perhaps we need a label that says "this file can be shown to the
world and I really don't care whether it is through apache, ftpd, tftpd, rsyncd,
or tin can and string." Perhaps "public_content_t". Alternatively, we may want a
boolean saying that rsync should accept httpd_sys_content_t as an alternative to

More generally, I'm struck that the selinux "one context per file" policy is
creating great difficulty in fashioning any sort of reasonable theory of
operation for how various overlapping programs like this should behave. What is
happening here is that the context selected is two narrow to cover the usage
pattern, with the consequence that selinux is getting in the way of successful

Is there a complete list of contexts somewhere, along with an explanation of
usage? Shouldn't there be one as part of the policy documentation?

Best regards
Comment 1 Daniel Walsh 2005-09-19 11:20:44 EDT
Change ftpd_anon to public_content in rawhide.
httpd should be able to read public_content (ftpd_anon_t) files.

We have a domain anonymous_domain, which basically allows ftpd, apache, rsyncd
to expose this content.

I would prefer that you label you httpd_sys_content_t as public_content_t, then
add a boolean.

Comment 2 Daniel Walsh 2005-09-27 15:43:53 EDT
Fixed in selinux-policy-targeted-1.27.1-2.3

Note You need to log in before you can comment on or make changes to this bug.