From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050930 Firefox/1.0.7

Description of problem:
I am attempting to run a standard public rsync repository.  The default rsyncd.conf does not specify whether to use a chroot or not, so (according to the man page) the default is "use chroot = yes."  Unfortunately according to the audit.log, selinux's targeted policy does not allow /usr/bin/rsync to perform a chroot:

type=AVC msg=audit(1128980944.827:7307): avc:  denied  { sys_chroot } for  pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability

This results in the following error message when a client tries to communicate with the rsync server:

client $ rsync server::rpath
@ERROR: chroot failed
rsync error: error starting client-server protocol (code 5) at main.c(1171)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.3, rsync-2.6.4-3

How reproducible:
Always

Steps to Reproduce:
1. Setup an updated FC 4 machine with SELinux enabled with targeted policy & active enforcement.
2. Enable rsync in /etc/xinetd.conf/rsync (disable = no)
3. Configure /etc/rsyncd.conf to serve up a module (rsync policy allows it access to /srv/rsync)
4. Try to get a directory listing of that module from a client machine:
$ rsync server::module
  

Actual Results:  Client receives the error message:

@ERROR: chroot failed
rsync error: error starting client-server protocol (code 5) at main.c(1171)

Server logs the following in audit.log:
type=AVC msg=audit(1128980944.827:7307): avc:  denied  { sys_chroot } for  pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability

Expected Results:  SELinux should allow rsync to perform a chroot and the client should successfully receive a directory listing from the rsync server.

Additional info: