Bug 403241 - Targeted policy breaks rsync as daemon and rsyncd.log logging
Targeted policy breaks rsync as daemon and rsyncd.log logging
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2007-11-28 13:23 EST by Mike Shaver
Modified: 2008-05-21 12:06 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 12:06:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
local rsync policy to permit netlink and logging access (543 bytes, text/plain)
2007-11-28 13:23 EST, Mike Shaver
no flags Details

  None (edit)
Description Mike Shaver 2007-11-28 13:23:45 EST
Description of problem:
The targeted policy prevents rsync_t from manipulating the netlink_route_socket,
which it tries to do in at least some rsyncd configurations (possibly related to
the use of "hosts allow"), and also keeps it from being able to create
/var/log/rsyncd.log or append to it if present.

Version-Release number of selected component (if applicable):

I worked out a policy that permits these things, with much help from Dominick
Grift, which I'll attach below.  It's my first such policy, and at least one
thing I think might be a sign of a bug in my thinking or the logging.if stuff,
but I'm sure someone with more experience here can quickly make it not suck. :)

To wit: the lines marked with "XXX logging_log_file" are needed to satisfy
dependencies of logging_log_file's expansion, so I would naively expect them to
be gen_require'd or something from within logging_log_file itself.

I also use the following fcontext; not sure if it's suitable for being the default:

/var/log/rsyncd.log          --   gen_context(system_u:object_r:rsync_log_t,s0)
Comment 1 Mike Shaver 2007-11-28 13:23:45 EST
Created attachment 271581 [details]
local rsync policy to permit netlink and logging access
Comment 2 Mike Shaver 2007-11-28 13:26:21 EST
Because I am a rockstar nonpareil, I uploaded the version without the XXX
markers.  The lines in question are these:

        class filesystem { associate }; # XXX logging_log_file?
        class dir all_dir_perms; # XXX logging_log_file
Comment 3 Daniel Walsh 2007-12-01 08:12:35 EST
Excellent job.

Your fixes will be in U2 policy.

If you use 
instead of 
module rsynclocal 1.0;

You will get the gen_requires for free.

Also in Rawhide and Fedora 8 we are using


Which gives you the netlink_route_socket  allow rule

Fixed in selinux-policy-2.4.6-107.el5.src.rpm
Comment 4 Daniel Walsh 2008-03-05 17:00:09 EST
Fixed in selinux-policy-2.4.6-125
Comment 5 RHEL Product and Program Management 2008-03-05 17:07:28 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 9 errata-xmlrpc 2008-05-21 12:06:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.