Bug 709779 - rsync 3.0.8 destroys security context of symbolic links
Summary: rsync 3.0.8 destroys security context of symbolic links
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: rsync
Version: 14
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Michal Luscon
QA Contact: Fedora Extras Quality Assurance
URL: https://bugzilla.samba.org/show_bug.c...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-01 15:43 UTC by Martin Wilck
Modified: 2012-05-16 10:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-16 10:27:54 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Martin Wilck 2011-06-01 15:43:53 UTC 
Description of problem:
P2V conversion of a F14 installation: used rsync -aHAXx to duplicate file systems from hysical to virtual host.

Version-Release number of selected component (if applicable):
rsync-3.0.8-1.fc14.x86_64

How reproducible:
always

Steps to Reproduce:
Physical-2-Virtual conversion of a F14 installation: used rsync -aHAXx to duplicate file systems from physical to virtual host.

Actual results:
on source:
lrwxrwxrwx. root root system_u:object_r:lib_t:s0       /lib64/libc.so.6 -> libc-2.13.so
on target:
lrwxrwxrwx. root root unconfined_u:object_r:file_t:s0  /lib64/libc.so.6 -> libc-2.13.so

These changed security contexts for symlinks cause the boot of the newly created VM to fail unless boot parameter selinux=0 is used.


Expected results:
Newly created VM bots nicely

Additional info:
Reproducer:

mkdir SRC
touch SRC/file
ln -s file SRC/link
chcon -h system_u:object_r:lib_t:s0 SRC/*
ls -Z SRC
-rw-r--r--. root root system_u:object_r:lib_t:s0       file
lrwxrwxrwx. root root system_u:object_r:lib_t:s0       link -> file

mkdir TGT
rsync -aHAXx SRC/ TGT
ls -Z TGT
-rw-r--r--. root root system_u:object_r:lib_t:s0       file
lrwxrwxrwx. root root unconfined_u:object_r:user_tmp_t:s0 link -> file

This seems to have been a deliberate change in rsync:

https://bugzilla.samba.org/show_bug.cgi?id=5458
https://bugzilla.samba.org/show_bug.cgi?id=7109

The reason given for this change was a reference to the attr(5) man page:   
"For this reason, extended user attributes are only allowed for regular files and directories, ...". However, that section applies to *user* attributes only. The changes made so rsync affect all attribute name spaces, 


commit 9d6fe1a6f0233c7567dfb114835751aff85a578b
Author: Wayne Davison <wayned@samba.org>
Date:   Mon Jan 3 11:07:47 2011 -0800

    Avoid reading ACL/xattr info on filetypes not being copied.
    Make Linux avoid xattr access on symlinks.
    Make OS X avoid xattr access on device/special files.
    Fixes bug 5458.

M       acls.c
M       configure.ac
M       flist.c
M       xattrs.c
Comment 1 Martin Wilck 2011-06-01 15:54:30 UTC 
Opened upstream bug https://bugzilla.samba.org/show_bug.cgi?id=8201.
Comment 2 Martin Wilck 2011-06-01 15:59:32 UTC 
After fixing the security attributes of all symlinks with a small script, my VM now boots nicely.
Comment 3 Martin Wilck 2011-06-20 08:43:58 UTC 
The upstream bug has been fixed. The commit ID is e2c1e482e004b8f992156bf436d4bf34cee1ee1d. It seems to contain another change as well though.
Comment 4 Martin Wilck 2011-06-20 08:47:53 UTC 
My bad, e2c1e482e004b8f992156bf436d4bf34cee1ee1d is clean. I request its inclusion in Fedora's rsync release.

http://gitweb.samba.org/?p=rsync.git;a=commitdiff;h=e2c1e482e004b8f992156bf436d4bf34cee1ee1d
Comment 5 Michal Luscon 2012-05-16 10:27:54 UTC 
You can find updated fedora-15 and fedora-16 rsync package in testing.
Note You need to log in before you can comment on or make changes to this bug.