Can you elaborate a bit on what is happening on the system reporting denials? In particular, I'd like to know: - Is it the initiator or the target system? - Is rsync running as a client or a server? - Is there some new setup on the system in question or a new feature? This permission was never allowed in selinux-policy so the scenario was never expected to work. We would also like to have audit logs or journal to see details. Is adding the one reported permission sufficient? # cat local_rsync.cil (allow rsync_t shell_exec_t (file (execute))) # semodule -i local_rsync.cil <reproduce the scenario>
I am not aware of any related change in selinux-policy which would effect in removing permissions for the rsync_t domain during RHEL 8 development cycle. Additional information is required to assess the issue, preferably with full auditing enabled: https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing Also note there is the rsync_client boolean set to off by default, but can turned on on a system where rsync runs as a client: # setsebool -P rsync_client on