Bug 459936 - rsync chroot fails
rsync chroot fails
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-24 17:27 EDT by Pierre Ossman
Modified: 2008-11-17 17:05 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:05:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pierre Ossman 2008-08-24 17:27:16 EDT
The SELinux policy is prohibiting rsyncd from functioning correctly, and I cannot see any file context or boolean that solves it.

I have a rsyncd running (via xinetd) that does is configured to run as root and to chroot to the target directory. The clients state "@ERROR: chroot failed" and on the server I can see:

type=1400 audit(1219579601.379:21): avc:  denied  { search } for  pid=6467 comm="rsync" name="/" dev=sdb1 ino=2 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir
Comment 1 Daniel Walsh 2008-09-02 16:40:35 EDT
You have a unlabeled file system so rsync is not allowed to read it.

You need to add labels to the file system using restorecon 

restorecon -Rv PATHTOFILESYSTEM

Or if this is an external drive that you do not want to put labels on you need to mount using the context option.
Comment 2 Pierre Ossman 2008-09-02 16:59:38 EDT
(where is "reopen"?)

restorecon did not help, but setting system_u:object_r:public_content_t:s0 did. So could you be a bit more specific as to what is required from selinux to give rsync access? Both for reads and writes (it doesn't seem to be able to write to public_content_t) would be helpful.
Comment 3 Daniel Walsh 2008-09-03 09:46:52 EDT
Try 
> man rsync_selinux

Are you using rsyncd for uploading files?
Comment 4 Pierre Ossman 2008-09-04 10:17:17 EDT
(In reply to comment #3)
> Try 
> > man rsync_selinux
> 

Ah. Nice. Setting them to public_content_rw_t got things working somewhat. It still isn't allowed to do a chown though:

type=1400 audit(1220537302.255:477): avc:  denied  { chown } for  pid=23131 comm="rsync" capability=0 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tclass=capability

I suspect it will want to modify the time of the files next, so that probably also needs to be allowed.

> Are you using rsyncd for uploading files?

Yup, via xinetd.
Comment 5 Daniel Walsh 2008-09-04 10:49:27 EDT
Ok I can add that permission,

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-89.fc9
Comment 6 Pierre Ossman 2008-10-04 16:24:26 EDT
Sorry for not testing until now, but it works except for two missing operations: fowner and fsetid.
Comment 7 Daniel Walsh 2008-10-06 12:52:05 EDT
Fixed in selinux-policy-3.3.1-100.fc9
Comment 8 Daniel Walsh 2008-11-17 17:05:36 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.