[DSE-User] Allow rsync to change all types of files

Marcus Husar marcus.husar at rose.uni-heidelberg.de
Fri Feb 20 07:58:02 UTC 2009 

Hello again,

I still get the same messages but found out that it depends definitively
on the "tclass". I made an incorrect assumption by taking too old data
into account.

setsebool -P allow_rsync_anon_write=1

Setsebool does (exactly) what I want. I have set these booleans to on:

allow_rsync_anon_write --> on
rsync_export_all_ro --> on

This must be a default value (20080702-14) because it needs a second
boolean to work:

daemon_access_unconfined_home --> on

The problem is that SELinux prevents rsync from doing getattr/setattr
(extended attributes are not enabled, no -X). Only 4 "tclasses" are
affected at the moment and all came from /dev: blk_file, chr_file,
fifo_file, sock_file.

I have written a module to solve this problem. Is it a security problem?:

module rsync_file_type 1.0;

require {
	type rsync_t;
	class file { getattr setattr };
	attribute file_type;
}

#============= rsync_t ==============
allow rsync_t file_type:file { getattr setattr };

Another option would be not to backup /dev.

Is it possible to adjust the policy? I think this would be no problem
because rsync is not allowed to read/write /dev on local machines.

Best wishes, Marcus

On 02/19/2009 12:39 PM, Marcus Husar wrote:
> Hi,
> 
> a few weeks ago (about 4) I wrote to this list because of problems with
> some scripts for backup purposes. Since my questions were rather idiotic
> I got no answer. So I studied lots of documentation, blogs and mailing
> lists (Fedora, RHEL, Dan Walsh, Russell Coker and others).
> 
> I learned how to use the policycoreutils (Debian stable) and sealert
> from setroubleshoot-plugins (testing). Rsync is used by scripts run by
> cron. They write to /srv/backup/. So I changed the file context and
> allowed rsync to write to it.
> 
> chcon -R -t public_content_rw_t /srv/backup
> semanage fcontext -a -t public_content_rw_t "/srv/backup(/.*)?"
> setsebool -P allow_rsync_anon_write=1
> 
> But I still get AVC-messages like this one:
> 
> type=AVC msg=audit(1234998002.420:66): avc:  denied  { setattr } for
> pid=22974 comm="rsync" name="sdb" dev=dm-5 ino=11387340
> scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=blk_file
> 
> Okay, the problem was that the file is a block device file. I get
> similar messages for capability, fd, fifo_file, sock_file and
> tcp_socket. I could write a module that covers all those types of files
> and all permissions. But what when I have to backup a new type called
> "foo_file"? This would break my backup scripts.
> 
> How can I allow rsync to change all types of files in file context
> public_content_rw_t?
> 
> Marcus
> 
> _______________________________________________
> Selinux-user mailing list
> Selinux-user at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/selinux-user

More information about the Selinux-user mailing list