From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050930 Firefox/1.0.7 Description of problem: I am attempting to run a standard public rsync repository. The default rsyncd.conf does not specify whether to use a chroot or not, so (according to the man page) the default is "use chroot = yes." Unfortunately according to the audit.log, selinux's targeted policy does not allow /usr/bin/rsync to perform a chroot: type=AVC msg=audit(1128980944.827:7307): avc: denied { sys_chroot } for pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability This results in the following error message when a client tries to communicate with the rsync server: client $ rsync server::rpath @ERROR: chroot failed rsync error: error starting client-server protocol (code 5) at main.c(1171) Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.3, rsync-2.6.4-3 How reproducible: Always Steps to Reproduce: 1. Setup an updated FC 4 machine with SELinux enabled with targeted policy & active enforcement. 2. Enable rsync in /etc/xinetd.conf/rsync (disable = no) 3. Configure /etc/rsyncd.conf to serve up a module (rsync policy allows it access to /srv/rsync) 4. Try to get a directory listing of that module from a client machine: $ rsync server::module Actual Results: Client receives the error message: @ERROR: chroot failed rsync error: error starting client-server protocol (code 5) at main.c(1171) Server logs the following in audit.log: type=AVC msg=audit(1128980944.827:7307): avc: denied { sys_chroot } for pid=22356 comm="rsync" capability=18 scontext=system_u:system_r:rsync_t tcontext=system_u:system_r:rsync_t tclass=capability Expected Results: SELinux should allow rsync to perform a chroot and the client should successfully receive a directory listing from the rsync server. Additional info:
Fixed in selinux-policy-*-1.27.1-2.6
Just installed selinux-policy-targeted-1.27.1-2.6 from fedora-updates and confirmed rsync now works with the default "use chroot = yes". Please go ahead and close the ticket with the appropriate resolution status. Thanks for fixing this.