Bug 459936 - rsync chroot fails
Summary: rsync chroot fails
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-08-24 21:27 UTC by Pierre Ossman
Modified: 2008-11-17 22:05 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-11-17 22:05:36 UTC
Type: ---

Attachments (Terms of Use)

Description Pierre Ossman 2008-08-24 21:27:16 UTC
The SELinux policy is prohibiting rsyncd from functioning correctly, and I cannot see any file context or boolean that solves it.

I have a rsyncd running (via xinetd) that does is configured to run as root and to chroot to the target directory. The clients state "@ERROR: chroot failed" and on the server I can see:

type=1400 audit(1219579601.379:21): avc:  denied  { search } for  pid=6467 comm="rsync" name="/" dev=sdb1 ino=2 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

Comment 1 Daniel Walsh 2008-09-02 20:40:35 UTC
You have a unlabeled file system so rsync is not allowed to read it.

You need to add labels to the file system using restorecon 


Or if this is an external drive that you do not want to put labels on you need to mount using the context option.

Comment 2 Pierre Ossman 2008-09-02 20:59:38 UTC
(where is "reopen"?)

restorecon did not help, but setting system_u:object_r:public_content_t:s0 did. So could you be a bit more specific as to what is required from selinux to give rsync access? Both for reads and writes (it doesn't seem to be able to write to public_content_t) would be helpful.

Comment 3 Daniel Walsh 2008-09-03 13:46:52 UTC
> man rsync_selinux

Are you using rsyncd for uploading files?

Comment 4 Pierre Ossman 2008-09-04 14:17:17 UTC
(In reply to comment #3)
> Try 
> > man rsync_selinux

Ah. Nice. Setting them to public_content_rw_t got things working somewhat. It still isn't allowed to do a chown though:

type=1400 audit(1220537302.255:477): avc:  denied  { chown } for  pid=23131 comm="rsync" capability=0 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tclass=capability

I suspect it will want to modify the time of the files next, so that probably also needs to be allowed.

> Are you using rsyncd for uploading files?

Yup, via xinetd.

Comment 5 Daniel Walsh 2008-09-04 14:49:27 UTC
Ok I can add that permission,

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-89.fc9

Comment 6 Pierre Ossman 2008-10-04 20:24:26 UTC
Sorry for not testing until now, but it works except for two missing operations: fowner and fsetid.

Comment 7 Daniel Walsh 2008-10-06 16:52:05 UTC
Fixed in selinux-policy-3.3.1-100.fc9

Comment 8 Daniel Walsh 2008-11-17 22:05:36 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.