[DSE-User] Allow rsync to change all types of files

Marcus Husar marcus.husar at rose.uni-heidelberg.de
Fri Feb 20 08:58:56 UTC 2009 

It's me again,

that solution didn't work (module rsync_file_type). Here is a new one
that works:

module rsync_from_dev 1.0;

require {
	type public_content_rw_t;
	type rsync_t;
	class blk_file { getattr setattr };
	class chr_file { getattr setattr };
	class fifo_file { getattr setattr };
	class sock_file { getattr setattr };
}

#============= rsync_t ==============
allow rsync_t public_content_rw_t:{ blk_file chr_file fifo_file
sock_file } { getattr setattr };

Is this intended not to work in standard policy?

Best wishes, Marcus

On 02/20/2009 08:58 AM, Marcus Husar wrote:
> Hello again,
> 
> I still get the same messages but found out that it depends definitively
> on the "tclass". I made an incorrect assumption by taking too old data
> into account.
> 
> setsebool -P allow_rsync_anon_write=1
> 
> Setsebool does (exactly) what I want. I have set these booleans to on:
> 
> allow_rsync_anon_write --> on
> rsync_export_all_ro --> on
> 
> This must be a default value (20080702-14) because it needs a second
> boolean to work:
> 
> daemon_access_unconfined_home --> on
> 
> The problem is that SELinux prevents rsync from doing getattr/setattr
> (extended attributes are not enabled, no -X). Only 4 "tclasses" are
> affected at the moment and all came from /dev: blk_file, chr_file,
> fifo_file, sock_file.
> 
> I have written a module to solve this problem. Is it a security problem?:
> 
> module rsync_file_type 1.0;
> 
> require {
> 	type rsync_t;
> 	class file { getattr setattr };
> 	attribute file_type;
> }
> 
> #============= rsync_t ==============
> allow rsync_t file_type:file { getattr setattr };
> 
> Another option would be not to backup /dev.
> 
> Is it possible to adjust the policy? I think this would be no problem
> because rsync is not allowed to read/write /dev on local machines.
> 
> Best wishes, Marcus
> 
> On 02/19/2009 12:39 PM, Marcus Husar wrote:
>> Hi,
>>
>> a few weeks ago (about 4) I wrote to this list because of problems with
>> some scripts for backup purposes. Since my questions were rather idiotic
>> I got no answer. So I studied lots of documentation, blogs and mailing
>> lists (Fedora, RHEL, Dan Walsh, Russell Coker and others).
>>
>> I learned how to use the policycoreutils (Debian stable) and sealert
>> from setroubleshoot-plugins (testing). Rsync is used by scripts run by
>> cron. They write to /srv/backup/. So I changed the file context and
>> allowed rsync to write to it.
>>
>> chcon -R -t public_content_rw_t /srv/backup
>> semanage fcontext -a -t public_content_rw_t "/srv/backup(/.*)?"
>> setsebool -P allow_rsync_anon_write=1
>>
>> But I still get AVC-messages like this one:
>>
>> type=AVC msg=audit(1234998002.420:66): avc:  denied  { setattr } for
>> pid=22974 comm="rsync" name="sdb" dev=dm-5 ino=11387340
>> scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=blk_file
>>
>> Okay, the problem was that the file is a block device file. I get
>> similar messages for capability, fd, fifo_file, sock_file and
>> tcp_socket. I could write a module that covers all those types of files
>> and all permissions. But what when I have to backup a new type called
>> "foo_file"? This would break my backup scripts.
>>
>> How can I allow rsync to change all types of files in file context
>> public_content_rw_t?
>>
>> Marcus
>>
>> _______________________________________________
>> Selinux-user mailing list
>> Selinux-user at lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/selinux-user
> 
> _______________________________________________
> Selinux-user mailing list
> Selinux-user at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/selinux-user

More information about the Selinux-user mailing list