Bug 543062 - pre-xfer option in rsyncd.conf file fails
Summary: pre-xfer option in rsyncd.conf file fails
Keywords:
Status: CLOSED DUPLICATE of bug 543970
Alias: None
Product: Fedora
Classification: Fedora
Component: rsync
Version: 12
Hardware: x86_64
OS: Linux
low
high
Target Milestone: ---
Assignee: Jan Zeleny
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 543107 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-01 16:14 UTC by Bill Gradwohl
Modified: 2010-01-12 20:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-12 15:59:42 UTC


Attachments (Terms of Use)

Description Bill Gradwohl 2009-12-01 16:14:42 UTC
Description of problem:
The pre-xfer option in the rsyncd.conf file produces an error that causes rsync as a whole to fail. Running the object of the pre-xfer manually and then running rsync without the pre-xfer option works as expected.

Version-Release number of selected component (if applicable):
F12 completely patched.

How reproducible:
mkdir -p /snapshot
/usr/sbin/setsebool rsync_export_all_ro on
rsync -rlptgoH --delete billlaptop::importantStuff /snapshot/importantStuff/usr/sbin/setsebool rsync_export_all_ro off
The above works after I applied numerous selinux rules to get rid of failures that were selinux induced.

Adding :
   pre-xfer exec=/usr/sbin/setsebool rsync_export_all_ro on
   post-xfer exec=/usr/sbin/setsebool rsync_export_all_ro off
to the /etc/rsyncd.conf file and only running the actual rsync command fails as follows:
pre-xfer exec returned failure (65280)
rsync error: requested action not supported (code 4) at clientserver.c(839) [sender=3.0.6]
rsync: read error: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(759) [receiver=3.0.6]

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
/etc/rsync.conf:
[importantStuff]
   comment=This is a master backup of this machine
   path=/
   read only=true
   ignore nonreadable=true
   list=false
   uid=root
   gid=root
   hosts allow=multimedia \ 
               multimedia.private.ycc \
               billlaptop \
               billlaptop.private.ycc \
               localhost
   filter=- *.tmp - *~ - *.bak \
          + /root/ - /root/.icedteaplugin/ + /root/*** \
          + /usr/ + /usr/local/ + /usr/local/sbin/*** \
          + /var/ + /var/cache/ + /var/cache/yum/*** \
          + /etc/ + /etc/shorewall/*** - /etc/*/ + /etc/* \
          - *
#   pre-xfer exec=/usr/sbin/setsebool rsync_export_all_ro on
#   post-xfer exec=/usr/sbin/setsebool rsync_export_all_ro off

===========================

Selinux .te file contents used to get rsync to function at all:
module rsyncForsnapshotbackup 1.0;

require {
	type setsebool_exec_t;
	type bin_t;
	type rsync_t;
	type shell_exec_t;
	class lnk_file read;
	class file { execute read execute_no_trans getattr open };
}

#============= rsync_t ==============
allow rsync_t bin_t:lnk_file read;
allow rsync_t setsebool_exec_t:file { read execute open getattr execute_no_trans };
allow rsync_t shell_exec_t:file { read execute open getattr execute_no_trans };

Comment 1 Bill Gradwohl 2009-12-01 16:20:05 UTC
rsync -rlptgoH --delete billlaptop::importantStuff /snapshot/importantStuff
and 
/usr/sbin/setsebool rsync_export_all_ro off
should have shown up as separate lines above.

Comment 2 Daniel Walsh 2009-12-02 19:39:35 UTC
*** Bug 543107 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2009-12-02 19:43:09 UTC
Can we start over.  Remove the setting of the booleans and lets discuss what
you want to set up.

Are you setting up an rsync server where the server will write content to
/snapshot?

Have you read man "rsync_selinux"?

Comment 4 Bill Gradwohl 2009-12-03 00:24:53 UTC
Haven't read man "rsync_selinux" as I didn't know it existed. I'll take a look at it.

From the beginning.

I've had a script (snapshotbackup - about 500 lines) I wrote years ago that takes snapshots of certain areas of a drive periodically according to a crontab setting. That script boils down to just a few simple commands, and rsync is the main engine. This script has worked for me and dozens of clients for years. 

My use of it is to snapshot /root, /usr/local/sbin, /etc and a few other directories to a spot on the same machines fixed disk at /snapshot. I run the rsyncd daemon via xinetd and the rsyncd.conf is below:
==============================
[importantStuff]
   comment=This is a master backup of this machine
   path=/
   read only=true
   ignore nonreadable=true
   list=false
   uid=root
   gid=root
   hosts allow=multimedia \ 
               multimedia.private.ycc \
               billlaptop \
               billlaptop.private.ycc \
               localhost
   filter=- / - *.tmp - *~ - *.bak \
          + /root/ - /root/.icedteaplugin/ + /root/*** \
          + /usr/ + /usr/local/ + /usr/local/sbin/*** \
          + /var/ + /var/cache/ + /var/cache/yum/*** \
          + /etc/ + /etc/shorewall/*** - /etc/*/ + /etc/* \
          - *
#   pre-xfer exec=/usr/sbin/setsebool rsync_export_all_ro on
#   post-xfer exec=/usr/sbin/setsebool rsync_export_all_ro off
=============================

The script boils down to these typical statements:
mkdir -p /snapshot/billlaptop/Wed.091202_1802
cp -lRP --preserve=all /snapshot/billlaptop/Wed.091202/importantStuff /snapshot/billlaptop/Wed.091202_1802/importantStuff
rsync -rlptgoH --delete billlaptop::importantStuff /snapshot/billlaptop/Wed.091202_1802/importantStuff


I installed F12 on my laptop and discovered the script produced 35 selinux "incidents" via sealert every time it ran. Of the 35, 70% were real denials with the rest nuisance messages about what it didn't particularly like but let slide anyway. All the incidents came from rsync. The number of incidents is related to the number of directories I asked it to process. If I change what I ask it to do, the number of incidents changes too.
Samples:
SELinux is preventing /usr/bin/rsync access to a leaked /bin/sh file descriptor.
SELinux is preventing /usr/bin/rsync "execute" access on /bin/bash.
SELinux is preventing /usr/bin/rsync "read open" access to /bin/bash.
SELinux is preventing /usr/bin/rsync "execute_no_trans" access on /bin/bash.
SELinux is preventing /bin/bash "getattr" access to /bin/bash.
SELinux is preventing /bin/bash "execute" access on /usr/sbin/setsebool.
SELinux is preventing /bin/bash "getattr" access to /usr/sbin/setsebool.
SELinux is preventing /bin/bash "read open" access to /usr/sbin/setsebool.
SELinux is preventing /bin/bash "read" access to /usr/sbin/setsebool.
SELinux is preventing /bin/bash "execute_no_trans" access on
/usr/sbin/setsebool.

Long story short, selinux broke my script. OK - I'll cooperate and write some rules to make the script and selinux peacefully coexist.  

For every selinux failure in sealert I'd save the alert to the clipboard and then paste from the clipboard into a file via an editor, saving the file as /tmp/avc# where # was an incremental number. After each new file was created in /tmp, I did the following:
cat /tmp/avc* >/tmp/AVC 
audit2allow -M rsyncForsnapshotbackup </tmp/AVC 
semodule -i rsyncForsnapshotbackup.pp 
mv rsyncForsnapshotbackup.* /root 

This would accumulate all the alerts up to that point into /tmp/AVC and then build one .te & .pp file to be applied to the system. Then another snapshotbackup would produce another sealert and I'd repeat the process till all the alerts were gone, but one. It seams that no matter what, I couldn't get rid of a bogus alert saying that the context of / was something other than what it really was. It took 8 iterations to accumulate all the failures.

The final rsyncForsnapshotbackup.te is below:
==========================
module rsyncForsnapshotbackup 1.0;

require {
	type setsebool_exec_t;
	type bin_t;
	type rsync_t;
	type shell_exec_t;
	class lnk_file read;
	class file { execute read execute_no_trans getattr open };
}

#============= rsync_t ==============
allow rsync_t bin_t:lnk_file read;
allow rsync_t setsebool_exec_t:file { read execute open getattr execute_no_trans };
allow rsync_t shell_exec_t:file { read execute open getattr execute_no_trans };
===========================

Immediately before the rsync execution statement I had to put:
/usr/sbin/setsebool rsync_export_all_ro on
and immediately after I put:
/usr/sbin/setsebool rsync_export_all_ro off

Then I tried to put those 2 statements into the rsyncd.conf file as pre-xfer and post-xfer statements. That would cause rsync to fail as reported in a bugzilla, so for now the script executes those statements explicitly instead of the more appropriate inclusion in the rsyncd.conf file to hide this ugly detail.

Right now, my script works as it did before. I am executing setsebool statements I really don't understand, have added rules to the system I also don't comprehend and am still getting one nuisance message about / having the wrong context which I also bugzilla'd. 

Note that what I bugzill'd was a failure in rsync not handling the pre-xfer statement in the config file, and the bogus sealert for the context on / (The root). I haven't really complained about selinux per se.

Selinux got in my way, and I circumvented it to get it out of my hair, but I'm not proud of what I've had to do because I don't understand selinux and can't seem to find any readable documentation to get me up to speed. I have tried on more than one occasion. I've got over 30 years as a professional programmer and can't penetrate the jargon and artificial language invented to describe it. 

As it is, selinux is a PITA as I have to live with it but can't communicate with it properly because I don't speak its language. If there's a complaint in there somewhere, its that the documentation is very very poor. I think the folks writing the docs are so into it and so comfortable with it that they can't remember what it was like not knowing it and therefore can't come down to a level suitable for describing it to an selinux novice.

Comment 5 Daniel Walsh 2009-12-03 14:19:49 UTC
THe problem is you went off track right from the beginning when just setting the label on the /snapshot directory would have worked, you got lost in SELinux configuration hell.

I wrote a paper on the 4 things that SELinux is trying to tell you and most of the time it is your labeling is screwed up.


http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

You needed to set  a label for the directory you wanted the confined application to write to.  /snapshot.

The domain that needed to write there is rsync_t.

There is a tool sesearch that allows you to search for the types that rsync can write to.



# sesearch -A -s rsync_t -c file -p write -C
Found 6 semantic av rules:
   allow rsync_t rsync_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow rsync_t rsync_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow rsync_t rsync_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow rsync_t rsync_t : file { ioctl read write getattr lock append open } ; 
DT allow rsync_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ allow_rsync_anon_write ]
DT allow rsync_t rsync_data_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ rsync_client ]

This says rsync_t domain can write to files labeled rsync_tmp_t, rsync_var_run_t, rsync_log_t. 

If you turn on the boolean allow_rsync_anon_write  it can write to public_content_rw_t.

If you turn on the boolean rsync_client  it can write to rsync_data_t, (which I think is a bug), it should be able to write here no matter what.

Setting the label on /snapshot to any of these would have allowed your scripts to work.  

/snapshot will get the default label default_t

To change the labeling to rsync_data_t permanently, you need to execute

# semanage fcontext -a -t rsync_data_t '/snapshot(/.*)?'
# restorecon -R -v /snapshot

Because of the bug in policy you need to turn on the boolean permanantly.  Note you only need to do this once.

# setsebool -P rsync_client 1


I think that would solve your problem.  What I am interested in, was what was the first setroubleshoot message that you got, did it tell you anything like the above?

Comment 6 Bill Gradwohl 2009-12-06 01:04:57 UTC
Daniel:

After doing a little digging I just realized who you are. You're the head selinux person. Perfect.

I read your last post and tried to comprehend it but can't. Therein lies the problem. You are offering me a fish, and I'm grateful, but what I need to be able to do is fish for myself. I want to understand selinux sufficiently to diagnose an issue correctly and not go off in a wrong direction as you indicated I did. I'd like to be able to understand what you're saying, not just key in some commands like a robot to solve this issue.

If I segregate Linux users into just 2 camps, they would be those that just want Linux to work and don't care how the magic happens, and then there are those that want to understand in detail how the whole thing hangs together. I'm in the latter camp.

Can you supply me with a reading list to get me up to speed on selinux? I promise to read it and I expect to be able afterwards to converse with you intelligently about what I learned. If after consuming your list I still can't do that I'll let you know, and I would consider that a failure of the documentation, so this is an opportunity to test the documentations usefulness.

Right now I am ignorant of selinux, but I'm not stupid. Given access to the right information, I'll comprehend it.

The selinux wiki on Fedoras site is not what I'm looking for as I doubt anyone can learn about selinux from there. References to FC4 and FC5 give me pause. If there's a book you would recommend that I can purchase from Amazon, I'll do it, but as I now live outside the US, just getting a book will take a month. If there are web sites, just list them, but please don't send me to sites with outdated information or information that isn't true about the selinux implementation in Fedora 12.

To answer your last question, I can't remember and now have no logs of the setroubleshoot messages that led me here. I plan on installing F12 on another box next week and will then have an opportunity to recreate the situation and will capture the sequence of events and all logs.

Comment 8 Bill Gradwohl 2010-01-12 15:08:47 UTC
Daniel:

I've been away for a while over the holidays, but I started your reading list.

I implemented your suggestions :
root@billlaptop ~# semanage fcontext -a -t rsync_data_t '/snapshot(/.*)?'
root@billlaptop ~# restorecon -R -v /snapshot
root@billlaptop ~# setsebool -P rsync_client 1

and came up with another permissions issue:

rsync: readlink_stat("/root/.config/google-chrome/SingletonSocket" (in importantStuff)) failed: Permission denied (13)
IO error encountered -- skipping file deletion
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1505) [generator=3.0.6]
   rsync failed from:bakery::importantStuff to:/snapshot/bakery/Tue.100112/importantStuff

This execution runs via the rsync daemon (config listed in this thread) by using the following syntax:

root@billlaptop ~# rsync -rlptgoH --delete billlaptop::importantStuff /snapshot/billlaptop/Tue.100112/importantStuff

When I run a plain vanilla 
root@billlaptop ~# mkdir /tmp/trash;rsync -rlptgoH /root/.config /tmp/trash
it works but says its skipping the offending file. Not a problem!

That file is some left over rubbish from a Google Chrome execution:
root@billlaptop ~# ll /root/.config/google-chrome/SingletonSocket
srwxr-xr-x. 1 unconfined_u:object_r:admin_home_t:s0 root root 0 2010-01-12 08:35 /root/.config/google-chrome/SingletonSocket

It appears that only when I try to execute the rsync via the daemon does the error occur. So, is this an selinux permissions issue or some real bug with the rsync daemon?

Comment 9 Daniel Walsh 2010-01-12 15:19:25 UTC
Probably selinux.  

What OS?  Any avc message in the /var/log/audit/audit.log?

rpm -q selinux-policy-targeted

Comment 10 Bill Gradwohl 2010-01-12 15:46:12 UTC
F12 fully patched.

type=AVC msg=audit(1263311057.846:57): avc:  denied  { getattr } for  pid=22134 comm="rsync" path="/root/.config/google-chrome/SingletonSocket" dev=sda3 ino=3558392 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1263311057.846:57): arch=c000003e syscall=6 success=no exit=-13 a0=7fff077d2500 a1=7fff077d1470 a2=7fff077d1470 a3=0 items=0 ppid=1583 pid=22134 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 key=(null)

root@billlaptop ~# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.32-66.fc12.noarch

Comment 11 Daniel Walsh 2010-01-12 15:59:42 UTC
SELinux does not support running X apps as root.

*** This bug has been marked as a duplicate of bug 543970 ***

Comment 12 Bill Gradwohl 2010-01-12 16:19:26 UTC
Why not run X apps as root? 

Please don't mention the word security as the whole machine is mine, and I should be able to do with it what I please. If I crater it do to poor judgement - so be it.

There's a trend happening here that makes Linux look more and more like Windows every day. 

Not good.

I guess I'll really have to get into selinux to undo the damage done purposefully in the name of security. Thanks for the motivation.

Comment 13 Daniel Walsh 2010-01-12 16:57:04 UTC
If you want to run X as root then you need to either disable SELinux or run it in permissive mode.   Trying to write policy that confines X Applications and handling labeling on /root becomes impossible.  

Running X Apps as root (administrator) is what causes lots of Windows problems, in the first place.

But if you want to run it, then go ahead.

Comment 14 Bill Gradwohl 2010-01-12 20:49:37 UTC
I've run X as root since F11. I have no problems running anything in X proper. Its only when I hit a command line and want to run a script do things go a bit berserk at times.

I suspect that in the not too distant future disabling selinux won't be an option as it will be mandated by gov't (check its pedigree) or it will simply be decided that supporting both an selinux and non selix environment isn't worth the headache and maintenance effort. So, I suspect your suggestion to cripple selinux has a short shelf life.

If actual X applications have problems with selinux, running as root or a mere mortal, then they simply need to get fixed. End of story. Anything else is simply unacceptable.

I think you also need to take off your tech hat and put on one borrowed from marketing. The idea is to make Linux an alternative to other platforms, specifically Windows, and the other "competitors" like Mac's O/S, etc. The idea of hardening a platform is great, but you can't make it so onerous to run it that the other more familiar platform looks better. Linux has to be the best at security AND usability to compete.

IMHO you've got the cart before the horse. You're allowing a technical challenge - to write the rules to control a root X session properly - to say you won't do it. If I were in marketing, I'd be pounding on management to make it happen whatever it takes. Not doing it will further limit Linux's acceptance. No one wants that except Microsoft.

My 2 cents.

BTW - I spent decades as a software developer and then technical product manager in the mainframe world in Texas. I ended my mainframe days in marketing and sales and I pushed hard to make our products the best in class regardless of the technical challenges. No one even tried to pull the wool over my eyes as they knew I knew technically at least as much as they did.

You guys need an internal end users advocate to provide direction. All tech and no marketing savvy doesn't work. Look at Linux's acceptance rate on corporate desktops for proof.


Note You need to log in before you can comment on or make changes to this bug.