Bug 403241 - Targeted policy breaks rsync as daemon and rsyncd.log logging
Targeted policy breaks rsync as daemon and rsyncd.log logging
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-28 13:23 EST by Mike Shaver
Modified: 2008-05-21 12:06 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:06:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
local rsync policy to permit netlink and logging access (543 bytes, text/plain)
2007-11-28 13:23 EST, Mike Shaver
no flags Details

  None (edit)
Description Mike Shaver 2007-11-28 13:23:45 EST
Description of problem:
The targeted policy prevents rsync_t from manipulating the netlink_route_socket,
which it tries to do in at least some rsyncd configurations (possibly related to
the use of "hosts allow"), and also keeps it from being able to create
/var/log/rsyncd.log or append to it if present.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-30.el5

I worked out a policy that permits these things, with much help from Dominick
Grift, which I'll attach below.  It's my first such policy, and at least one
thing I think might be a sign of a bug in my thinking or the logging.if stuff,
but I'm sure someone with more experience here can quickly make it not suck. :)

To wit: the lines marked with "XXX logging_log_file" are needed to satisfy
dependencies of logging_log_file's expansion, so I would naively expect them to
be gen_require'd or something from within logging_log_file itself.

I also use the following fcontext; not sure if it's suitable for being the default:

/var/log/rsyncd.log          --   gen_context(system_u:object_r:rsync_log_t,s0)
Comment 1 Mike Shaver 2007-11-28 13:23:45 EST
Created attachment 271581 [details]
local rsync policy to permit netlink and logging access
Comment 2 Mike Shaver 2007-11-28 13:26:21 EST
Because I am a rockstar nonpareil, I uploaded the version without the XXX
markers.  The lines in question are these:

        class filesystem { associate }; # XXX logging_log_file?
        class dir all_dir_perms; # XXX logging_log_file
Comment 3 Daniel Walsh 2007-12-01 08:12:35 EST
Excellent job.

Your fixes will be in U2 policy.

If you use 
policy_module(rsynclocal,1.0)
instead of 
module rsynclocal 1.0;

You will get the gen_requires for free.

Also in Rawhide and Fedora 8 we are using

auth_use_nsswitch(rsync_t) 

Which gives you the netlink_route_socket  allow rule

Fixed in selinux-policy-2.4.6-107.el5.src.rpm
Comment 4 Daniel Walsh 2008-03-05 17:00:09 EST
Fixed in selinux-policy-2.4.6-125
Comment 5 RHEL Product and Program Management 2008-03-05 17:07:28 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 errata-xmlrpc 2008-05-21 12:06:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.