Backups with rsync totally broken in Fedora 18
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 21 18:01:11 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/18/2013 09:29 PM, David Highley wrote:
> "David Highley wrote:"
>>
>> "Daniel J Walsh wrote:"
>>>
> On 01/18/2013 09:20 AM, David Highley wrote:
>>>>> Upgraded a test box to Fedora 18 and have tried to get rsync
>>>>> backups to it working. Looked at many discussions about backing up
>>>>> in a selinux environment and all discussions seemed to be
>>>>> incomplete.
>>>>>
>>>>> Most indicate you should not keep selinux labels, but none of those
>>>>> discussion indicate what options to change. After working on a
>>>>> thousand line policy file I'm beginning to think you just want to
>>>>> completely turn off any audit of the rsync domain.
>>>>>
>>>>> Is this how we should approach backups? If you do not preserve
>>>>> selinux labels what should the backup location get labeled to?
>>>>>
>>>>> I'm surprised as long as selinux has been in use that a template
>>>>> with details has not been defined for this. By the way I had just
>>>>> submitted an enhancement bug report for rsync with examples of
>>>>> getting it to function with systemd control. -- selinux mailing
>>>>> list selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
> Does this help?
>
> http://danwalsh.livejournal.com/61646.html
>>>
>>> I had found and read this information, but was not sure from it and the
>>> other discussions that it was the right direction and if the right
>>> direction that it had complete information for doing the
>>> implementation.
>>>
>>> Has anyone tried this and has it worked out? Do you define the backup
>>> area as unconfined_u and relabel everything to that?
>>>
>
>> OK, making rsync_t and unconfined domain gets rid of the AVCs. I still
>> have concerns that it is just opening up a bad whole in the system. Is
>> there a way of scoping it to only the back up area and or maybe forcing
>> what ever is copied to a benign state by labeling it to something safe?
>
>>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Well rsync_t policy if for running rsync as a daemon not as a client.
/usr/lib/systemd/system/rsyncd.service
I just checked a fix into the policy so that only rsynd when run as a service
will transition to rsync_t. But if you run it from a script or an application
running as initrc_t, it will stay as the current domain.
If you are only running rsync as a client, adding unconfined_domain(rsync_t)
will not give it more privs that initrc_t already has.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD9gmcACgkQrlYvE4MpobNo2ACg6N1zwNOwgWXybHysu/e9gsuf
2UIAn0FP2313kESfqYzMkEFygiAfhIDO
=Bw8l
-----END PGP SIGNATURE-----
More information about the selinux
mailing list