Bug 170405 - rsync does not have, but requires, sys_chroot for default configuration
rsync does not have, but requires, sys_chroot for default configuration
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-11 09:32 EDT by David Coulthart
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.27.1-2.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-18 10:40:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Coulthart 2005-10-11 09:32:35 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050930 Firefox/1.0.7

Description of problem:
I am attempting to run a standard public rsync repository.  The default rsyncd.conf does not specify whether to use a chroot or not, so (according to the man page) the default is "use chroot = yes."  Unfortunately according to the audit.log, selinux's targeted policy does not allow /usr/bin/rsync to perform a chroot:

type=AVC msg=audit(1128980944.827:7307): avc:  denied  { sys_chroot } for  pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability

This results in the following error message when a client tries to communicate with the rsync server:

client $ rsync server::rpath
@ERROR: chroot failed
rsync error: error starting client-server protocol (code 5) at main.c(1171)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.3, rsync-2.6.4-3

How reproducible:
Always

Steps to Reproduce:
1. Setup an updated FC 4 machine with SELinux enabled with targeted policy & active enforcement.
2. Enable rsync in /etc/xinetd.conf/rsync (disable = no)
3. Configure /etc/rsyncd.conf to serve up a module (rsync policy allows it access to /srv/rsync)
4. Try to get a directory listing of that module from a client machine:
$ rsync server::module
  

Actual Results:  Client receives the error message:

@ERROR: chroot failed
rsync error: error starting client-server protocol (code 5) at main.c(1171)

Server logs the following in audit.log:
type=AVC msg=audit(1128980944.827:7307): avc:  denied  { sys_chroot } for  pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability

Expected Results:  SELinux should allow rsync to perform a chroot and the client should successfully receive a directory listing from the rsync server.

Additional info:
Comment 1 Daniel Walsh 2005-10-17 14:14:31 EDT
Fixed in selinux-policy-*-1.27.1-2.6
Comment 2 David Coulthart 2005-10-18 10:39:23 EDT
Just installed selinux-policy-targeted-1.27.1-2.6 from fedora-updates and
confirmed rsync now works with the default "use chroot = yes".  Please go ahead
and close the ticket with the appropriate resolution status.  Thanks for fixing
this.

Note You need to log in before you can comment on or make changes to this bug.