709779 – rsync 3.0.8 destroys security context of symbolic links

Bug 709779 - rsync 3.0.8 destroys security context of symbolic links

Summary: rsync 3.0.8 destroys security context of symbolic links

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rsync
Sub Component:
Version:	14
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Michal Luscon
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://bugzilla.samba.org/show_bug.c...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-01 15:43 UTC by Martin Wilck
Modified:	2012-05-16 10:27 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-05-16 10:27:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Wilck 2011-06-01 15:43:53 UTC

Description of problem:
P2V conversion of a F14 installation: used rsync -aHAXx to duplicate file systems from hysical to virtual host.

Version-Release number of selected component (if applicable):
rsync-3.0.8-1.fc14.x86_64

How reproducible:
always

Steps to Reproduce:
Physical-2-Virtual conversion of a F14 installation: used rsync -aHAXx to duplicate file systems from physical to virtual host.

Actual results:
on source:
lrwxrwxrwx. root root system_u:object_r:lib_t:s0       /lib64/libc.so.6 -> libc-2.13.so
on target:
lrwxrwxrwx. root root unconfined_u:object_r:file_t:s0  /lib64/libc.so.6 -> libc-2.13.so

These changed security contexts for symlinks cause the boot of the newly created VM to fail unless boot parameter selinux=0 is used.


Expected results:
Newly created VM bots nicely

Additional info:
Reproducer:

mkdir SRC
touch SRC/file
ln -s file SRC/link
chcon -h system_u:object_r:lib_t:s0 SRC/*
ls -Z SRC
-rw-r--r--. root root system_u:object_r:lib_t:s0       file
lrwxrwxrwx. root root system_u:object_r:lib_t:s0       link -> file

mkdir TGT
rsync -aHAXx SRC/ TGT
ls -Z TGT
-rw-r--r--. root root system_u:object_r:lib_t:s0       file
lrwxrwxrwx. root root unconfined_u:object_r:user_tmp_t:s0 link -> file

This seems to have been a deliberate change in rsync:

https://bugzilla.samba.org/show_bug.cgi?id=5458
https://bugzilla.samba.org/show_bug.cgi?id=7109

The reason given for this change was a reference to the attr(5) man page:   
"For this reason, extended user attributes are only allowed for regular files and directories, ...". However, that section applies to *user* attributes only. The changes made so rsync affect all attribute name spaces, 


commit 9d6fe1a6f0233c7567dfb114835751aff85a578b
Author: Wayne Davison <wayned>
Date:   Mon Jan 3 11:07:47 2011 -0800

    Avoid reading ACL/xattr info on filetypes not being copied.
    Make Linux avoid xattr access on symlinks.
    Make OS X avoid xattr access on device/special files.
    Fixes bug 5458.

M       acls.c
M       configure.ac
M       flist.c
M       xattrs.c

Comment 1 Martin Wilck 2011-06-01 15:54:30 UTC

Opened upstream bug https://bugzilla.samba.org/show_bug.cgi?id=8201.

Comment 2 Martin Wilck 2011-06-01 15:59:32 UTC

After fixing the security attributes of all symlinks with a small script, my VM now boots nicely.

Comment 3 Martin Wilck 2011-06-20 08:43:58 UTC

The upstream bug has been fixed. The commit ID is e2c1e482e004b8f992156bf436d4bf34cee1ee1d. It seems to contain another change as well though.

Comment 4 Martin Wilck 2011-06-20 08:47:53 UTC

My bad, e2c1e482e004b8f992156bf436d4bf34cee1ee1d is clean. I request its inclusion in Fedora's rsync release.

http://gitweb.samba.org/?p=rsync.git;a=commitdiff;h=e2c1e482e004b8f992156bf436d4bf34cee1ee1d

Comment 5 Michal Luscon 2012-05-16 10:27:54 UTC

You can find updated fedora-15 and fedora-16 rsync package in testing.

Note You need to log in before you can comment on or make changes to this bug.