[DSE-User] Allow rsync to change all types of files
Marcus Husar
marcus.husar at rose.uni-heidelberg.de
Thu Feb 19 11:39:14 UTC 2009
Hi,
a few weeks ago (about 4) I wrote to this list because of problems with
some scripts for backup purposes. Since my questions were rather idiotic
I got no answer. So I studied lots of documentation, blogs and mailing
lists (Fedora, RHEL, Dan Walsh, Russell Coker and others).
I learned how to use the policycoreutils (Debian stable) and sealert
from setroubleshoot-plugins (testing). Rsync is used by scripts run by
cron. They write to /srv/backup/. So I changed the file context and
allowed rsync to write to it.
chcon -R -t public_content_rw_t /srv/backup
semanage fcontext -a -t public_content_rw_t "/srv/backup(/.*)?"
setsebool -P allow_rsync_anon_write=1
But I still get AVC-messages like this one:
type=AVC msg=audit(1234998002.420:66): avc: denied { setattr } for
pid=22974 comm="rsync" name="sdb" dev=dm-5 ino=11387340
scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023
tcontext=system_u:object_r:public_content_rw_t:s0 tclass=blk_file
Okay, the problem was that the file is a block device file. I get
similar messages for capability, fd, fifo_file, sock_file and
tcp_socket. I could write a module that covers all those types of files
and all permissions. But what when I have to backup a new type called
"foo_file"? This would break my backup scripts.
How can I allow rsync to change all types of files in file context
public_content_rw_t?
Marcus
More information about the Selinux-user
mailing list