Bug 881993 - rsyncd fails to chdir with autofs mounted nfs directory
rsyncd fails to chdir with autofs mounted nfs directory
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
medium Severity low
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: TestOnly
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-29 17:41 EST by Orion Poplawski
Modified: 2013-02-21 03:32 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-184.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:32:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2012-11-29 17:41:04 EST
Description of problem:

Running rsyncd that serves an automounted nfs directory.  I get:

type=AVC msg=audit(1354228225.755:130885): avc:  denied  { search } for  pid=5424 comm="rsync" name="/" dev=autofs ino=12652 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:autofs_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.8.noarch

rsync_use_nfs is on.
Comment 2 Orion Poplawski 2012-11-29 18:11:23 EST
Also, how do I get it to be able to write to the nfs directory?

type=AVC msg=audit(1354230531.020:131120): avc:  denied  { write } for  pid=6958 comm="rsync" name="METEORS" dev=0:1c ino=251527171 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

allow_rsync_anon_write --> on
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> on

I tried turning on allow_rsync_anon_write but that didn't help.
Comment 3 Orion Poplawski 2012-11-29 18:20:32 EST
Eventually needed to add exceptions for:

module rsync-server 1.0;

require {
        type autofs_t;
        type rsync_t;
        type nfs_t;
        class file create;
        class dir { write search add_name };
}

#============= rsync_t ==============
#!!!! This avc can be allowed using the boolean 'rsync_export_all_ro'

allow rsync_t autofs_t:dir search;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:dir { write search add_name };
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:file create;
Comment 4 Miroslav Grepl 2012-11-30 04:39:52 EST
I made rsync as userdom_home_manager to fix these issues. Will backport.
Comment 5 Miroslav Grepl 2012-11-30 04:43:44 EST
(In reply to comment #4)
> I made rsync as userdom_home_manager to fix these issues. 

I meant in Fedora.
Comment 6 Orion Poplawski 2012-11-30 11:52:03 EST
I eventually had to disable dontaudit rules to be able to see:

type=AVC msg=audit(1354294154.636:548): avc:  denied  { write } for  pid=14828 comm="rsync" name=".blah.cp9LNd" dev=0:21 ino=580976863 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file

module rsync-server 1.0;

require {
        type autofs_t;
        type rsync_t;
        type nfs_t;
        class file { write rename create unlink setattr };
        class dir { write search setattr remove_name create add_name };
}

#============= rsync_t ==============
#!!!! This avc is allowed in the current policy

allow rsync_t autofs_t:dir search;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:dir { write search setattr remove_name create add_name };
allow rsync_t nfs_t:file write;
#!!!! This avc is allowed in the current policy

allow rsync_t nfs_t:file { rename create unlink setattr };
Comment 7 Miroslav Grepl 2012-12-03 03:10:25 EST
Yes, it will be covered by new rules.
Comment 10 Orion Poplawski 2012-12-11 10:45:40 EST
Looks good to me.  Thanks!
Comment 13 errata-xmlrpc 2013-02-21 03:32:47 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.