Bug 881993 - rsyncd fails to chdir with autofs mounted nfs directory
Summary: rsyncd fails to chdir with autofs mounted nfs directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.3
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-29 22:41 UTC by Orion Poplawski
Modified: 2013-02-21 08:32 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-184.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:32:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Orion Poplawski 2012-11-29 22:41:04 UTC
Description of problem:

Running rsyncd that serves an automounted nfs directory.  I get:

type=AVC msg=audit(1354228225.755:130885): avc:  denied  { search } for  pid=5424 comm="rsync" name="/" dev=autofs ino=12652 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:autofs_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.8.noarch

rsync_use_nfs is on.

Comment 2 Orion Poplawski 2012-11-29 23:11:23 UTC
Also, how do I get it to be able to write to the nfs directory?

type=AVC msg=audit(1354230531.020:131120): avc:  denied  { write } for  pid=6958 comm="rsync" name="METEORS" dev=0:1c ino=251527171 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

allow_rsync_anon_write --> on
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> on

I tried turning on allow_rsync_anon_write but that didn't help.

Comment 3 Orion Poplawski 2012-11-29 23:20:32 UTC
Eventually needed to add exceptions for:

module rsync-server 1.0;

require {
        type autofs_t;
        type rsync_t;
        type nfs_t;
        class file create;
        class dir { write search add_name };
}

#============= rsync_t ==============
#!!!! This avc can be allowed using the boolean 'rsync_export_all_ro'

allow rsync_t autofs_t:dir search;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:dir { write search add_name };
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:file create;

Comment 4 Miroslav Grepl 2012-11-30 09:39:52 UTC
I made rsync as userdom_home_manager to fix these issues. Will backport.

Comment 5 Miroslav Grepl 2012-11-30 09:43:44 UTC
(In reply to comment #4)
> I made rsync as userdom_home_manager to fix these issues. 

I meant in Fedora.

Comment 6 Orion Poplawski 2012-11-30 16:52:03 UTC
I eventually had to disable dontaudit rules to be able to see:

type=AVC msg=audit(1354294154.636:548): avc:  denied  { write } for  pid=14828 comm="rsync" name=".blah.cp9LNd" dev=0:21 ino=580976863 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file

module rsync-server 1.0;

require {
        type autofs_t;
        type rsync_t;
        type nfs_t;
        class file { write rename create unlink setattr };
        class dir { write search setattr remove_name create add_name };
}

#============= rsync_t ==============
#!!!! This avc is allowed in the current policy

allow rsync_t autofs_t:dir search;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:dir { write search setattr remove_name create add_name };
allow rsync_t nfs_t:file write;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:file { rename create unlink setattr };

Comment 7 Miroslav Grepl 2012-12-03 08:10:25 UTC
Yes, it will be covered by new rules.

Comment 10 Orion Poplawski 2012-12-11 15:45:40 UTC
Looks good to me.  Thanks!

Comment 13 errata-xmlrpc 2013-02-21 08:32:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html


Note You need to log in before you can comment on or make changes to this bug.