Bug 459936 - rsync chroot fails
Summary: rsync chroot fails
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-24 21:27 UTC by Pierre Ossman
Modified: 2008-11-17 22:05 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:05:36 UTC
Type: ---


Attachments (Terms of Use)

Description Pierre Ossman 2008-08-24 21:27:16 UTC
The SELinux policy is prohibiting rsyncd from functioning correctly, and I cannot see any file context or boolean that solves it.

I have a rsyncd running (via xinetd) that does is configured to run as root and to chroot to the target directory. The clients state "@ERROR: chroot failed" and on the server I can see:

type=1400 audit(1219579601.379:21): avc:  denied  { search } for  pid=6467 comm="rsync" name="/" dev=sdb1 ino=2 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

Comment 1 Daniel Walsh 2008-09-02 20:40:35 UTC
You have a unlabeled file system so rsync is not allowed to read it.

You need to add labels to the file system using restorecon 

restorecon -Rv PATHTOFILESYSTEM

Or if this is an external drive that you do not want to put labels on you need to mount using the context option.

Comment 2 Pierre Ossman 2008-09-02 20:59:38 UTC
(where is "reopen"?)

restorecon did not help, but setting system_u:object_r:public_content_t:s0 did. So could you be a bit more specific as to what is required from selinux to give rsync access? Both for reads and writes (it doesn't seem to be able to write to public_content_t) would be helpful.

Comment 3 Daniel Walsh 2008-09-03 13:46:52 UTC
Try 
> man rsync_selinux

Are you using rsyncd for uploading files?

Comment 4 Pierre Ossman 2008-09-04 14:17:17 UTC
(In reply to comment #3)
> Try 
> > man rsync_selinux
> 

Ah. Nice. Setting them to public_content_rw_t got things working somewhat. It still isn't allowed to do a chown though:

type=1400 audit(1220537302.255:477): avc:  denied  { chown } for  pid=23131 comm="rsync" capability=0 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tclass=capability

I suspect it will want to modify the time of the files next, so that probably also needs to be allowed.

> Are you using rsyncd for uploading files?

Yup, via xinetd.

Comment 5 Daniel Walsh 2008-09-04 14:49:27 UTC
Ok I can add that permission,

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-89.fc9

Comment 6 Pierre Ossman 2008-10-04 20:24:26 UTC
Sorry for not testing until now, but it works except for two missing operations: fowner and fsetid.

Comment 7 Daniel Walsh 2008-10-06 16:52:05 UTC
Fixed in selinux-policy-3.3.1-100.fc9

Comment 8 Daniel Walsh 2008-11-17 22:05:36 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.


Note You need to log in before you can comment on or make changes to this bug.