Hide Forgot
SELinux is preventing /usr/bin/rsync from 'associate' accesses on the filesystem selinux. ***** Plugin filesystem_associate (99.5 confidence) suggests *************** If you believe rsync should be allowed to create selinux files Then you need to use a different command. You are not allowed to preserve the SELinux context on the target file system. Do use a command like "cp -p" to preserve all permissions except SELinux context. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that rsync should be allowed associate access on the selinux filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rsync /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:object_r:security_t:s0 Target Context system_u:object_r:fs_t:s0 Target Objects selinux [ filesystem ] Source rsync Source Path /usr/bin/rsync Port <Unknown> Host (removed) Source RPM Packages rsync-3.0.8-2.fc15 Target RPM Packages filesystem-2.4.41-1.fc15 Policy RPM selinux-policy-3.9.16-50.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.41.10-3.fc15.i686.PAE #1 SMP Mon Jan 23 15:36:55 UTC 2012 i686 i686 Alert Count 1 First Seen Fri 24 Feb 2012 11:14:02 AM CET Last Seen Fri 24 Feb 2012 11:14:02 AM CET Local ID c507b641-8ad6-4a5c-bf16-c5f1de7f1ad4 Raw Audit Messages type=AVC msg=audit(1330078442.823:8427): avc: denied { associate } for pid=9152 comm="rsync" name="selinux" dev=sdd1 ino=1275932489 scontext=system_u:object_r:security_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1330078442.823:8427): arch=i386 syscall=lsetxattr success=no exit=EACCES a0=bf9e08dc a1=8c305a8 a2=8c30588 a3=20 items=0 ppid=9151 pid=9152 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1128 comm=rsync exe=/usr/bin/rsync subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: rsync,security_t,fs_t,filesystem,associate audit2allow #============= security_t ============== allow security_t fs_t:filesystem associate; audit2allow -R #============= security_t ============== allow security_t fs_t:filesystem associate;
This looks like rsync is trying to write security_t labels to a normal file system, which is not something we want to allow. You should not be copying system files systems like /sys and /proc with rsync.
I'm using rsnapshot with one_fs option set. This passes -x to rsync to prevent it from crossing file system boundaries. That should stop rsync from trying to copy /sys and /proc. In the destination both /sys and /proc are empty. I'm using --xattrs option to copy the extended attributes since without that I have to restore SELinux context if I want to copy the files back. Source is formatted with ext4. Destination is formatted with xfs.
Well then I will reassign to rsync, since it is definitely looking at the selinux file system, which is labeled security_t. One question would be we moved /selinux to /sys/fs/selinux, any chance this move is causing a problem?
(In reply to comment #3) > Well then I will reassign to rsync, since it is definitely looking at the > selinux file system, which is labeled security_t. One question would be we > moved /selinux to /sys/fs/selinux, any chance this move is causing a problem? This is happening on Fedora 15 and /sys/fs/selinux is empty but there are some files in /selinux
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping