Backups with rsync totally broken in Fedora 18

David Highley dhighley at highley-recommended.com
Wed Jan 23 15:26:16 UTC 2013 

"Daniel J Walsh wrote:"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/22/2013 03:36 PM, David Highley wrote:
> > "Daniel J Walsh wrote:"
> >> 
> > On 01/22/2013 12:32 PM, David Highley wrote:
> >>>> "Daniel J Walsh wrote:"
> >>>>> 
> >>>> On 01/22/2013 09:39 AM, David Highley wrote:
> >>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>> 
> >>>>>>> On 01/21/2013 06:13 PM, David Highley wrote:
> >>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>> 
> >>>>>>>>>> On 01/21/2013 12:49 PM, David Highley wrote:
> >>>>>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>>>> 
> >>>>>>>>>>>>> On 01/18/2013 09:29 PM, David Highley wrote:
> >>>>>>>>>>>>>>>> "David Highley wrote:"
> >>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>> "Daniel J Walsh wrote:"
> >>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>> On 01/18/2013 09:20 AM, David Highley wrote:
> >>>>>>>>>>>>>>>>>>>> Upgraded a test box to Fedora 18 and
> >>>>>>>>>>>>>>>>>>>> have tried to get rsync backups to it
> >>>>>>>>>>>>>>>>>>>> working. Looked at many discussions
> >>>>>>>>>>>>>>>>>>>> about backing up in a selinux
> >>>>>>>>>>>>>>>>>>>> environment and all discussions
> >>>>>>>>>>>>>>>>>>>> seemed to be incomplete.
> >>>>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>>>>> Most indicate you should not keep
> >>>>>>>>>>>>>>>>>>>> selinux labels, but none of those
> >>>>>>>>>>>>>>>>>>>> discussion indicate what options to
> >>>>>>>>>>>>>>>>>>>> change. After working on a thousand
> >>>>>>>>>>>>>>>>>>>> line policy file I'm beginning to
> >>>>>>>>>>>>>>>>>>>> think you just want to completely
> >>>>>>>>>>>>>>>>>>>> turn off any audit of the rsync 
> >>>>>>>>>>>>>>>>>>>> domain.
> >>>>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>>>>> Is this how we should approach
> >>>>>>>>>>>>>>>>>>>> backups? If you do not preserve
> >>>>>>>>>>>>>>>>>>>> selinux labels what should the backup
> >>>>>>>>>>>>>>>>>>>> location get labeled to?
> >>>>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>>>>> I'm surprised as long as selinux has
> >>>>>>>>>>>>>>>>>>>> been in use that a template with
> >>>>>>>>>>>>>>>>>>>> details has not been defined for
> >>>>>>>>>>>>>>>>>>>> this. By the way I had just submitted
> >>>>>>>>>>>>>>>>>>>> an enhancement bug report for rsync
> >>>>>>>>>>>>>>>>>>>> with examples of getting it to 
> >>>>>>>>>>>>>>>>>>>> function with systemd control. --
> >>>>>>>>>>>>>>>>>>>> selinux mailing list 
> >>>>>>>>>>>>>>>>>>>> selinux at lists.fedoraproject.org 
> >>>>>>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>
> >>>>>>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>>>>> 
> Does this help?
> >>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>> http://danwalsh.livejournal.com/61646.html
> >>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>>> I had found and read this information,
> >>>>>>>>>>>>>>>>>> but was not sure from it and the other
> >>>>>>>>>>>>>>>>>> discussions that it was the right
> >>>>>>>>>>>>>>>>>> direction and if the right direction that
> >>>>>>>>>>>>>>>>>> it had complete information for doing the
> >>>>>>>>>>>>>>>>>> implementation.
> >>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>>> Has anyone tried this and has it worked
> >>>>>>>>>>>>>>>>>> out? Do you define the backup area as
> >>>>>>>>>>>>>>>>>> unconfined_u and relabel everything to
> >>>>>>>>>>>>>>>>>> that?
> >>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>> OK, making rsync_t and unconfined domain
> >>>>>>>>>>>>>>>>> gets rid of the AVCs. I still have concerns
> >>>>>>>>>>>>>>>>> that it is just opening up a bad whole in
> >>>>>>>>>>>>>>>>> the system. Is there a way of scoping it to
> >>>>>>>>>>>>>>>>> only the back up area and or maybe forcing
> >>>>>>>>>>>>>>>>> what ever is copied to a benign state by
> >>>>>>>>>>>>>>>>> labeling it to something safe?
> >>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>> -- selinux mailing list 
> >>>>>>>>>>>>>>>>> selinux at lists.fedoraproject.org
> >>>>>>>>>>>>>>>>> 
> >>>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>
> >>>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>>> 
> - -- selinux mailing list selinux at lists.fedoraproject.org
> >>>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >
> >>>>>>>>>>>>>>>> 
> Well rsync_t policy if for running rsync as a daemon not as a
> >>>>>>>>>>>>> client.
> >>>>>>>>>>>>> 
> >>>>>>>>>>>>> /usr/lib/systemd/system/rsyncd.service
> >>>>>>>>>>>>> 
> >>>>>>>>>>>>> I just checked a fix into the policy so that only
> >>>>>>>>>>>>> rsynd when run as a service will transition to
> >>>>>>>>>>>>> rsync_t.  But if you run it from a script or an
> >>>>>>>>>>>>> application running as initrc_t, it will stay as
> >>>>>>>>>>>>> the current domain.
> >>>>>>>>>>>>> 
> >>>>>>>>>>>>>> Thanks, will check again when it is available. We
> >>>>>>>>>>>>>> are using rsync as daemon spond by systemd.
> >>>>>>>>>>>>> 
> >>>>>>>>>>>>> 
> >>>>>>>>>>>>> If you are only running rsync as a client, adding 
> >>>>>>>>>>>>> unconfined_domain(rsync_t) will not give it more
> >>>>>>>>>>>>> privs that initrc_t already has.
> >>>>>>>>>>>>>> 
> >>>>>>>>>>>>> 
> >>>>>>>>>>>>> 
> >>>>>>>>>> 
> >>>>>>>>>> Ok then that is different, what is broken for you?
> >>>>>>>>>> Without the unconfined_domain(rsync_t)?
> >>>>>>>>>> 
> >>>>>>>>>> Sorry for the confusion.
> >>>>>>>>>> 
> >>>>>>>>>>> OK, maybe the issue of confusion is what is the client
> >>>>>>>>>>> and what is the server in the process. We have systems
> >>>>>>>>>>> that we back up to, servers. They run rsyncd via
> >>>>>>>>>>> systemd port activation requests. We have clients that
> >>>>>>>>>>> run cron jobs to push back ups to one or more backup
> >>>>>>>>>>> systems.
> >>>>>>>>>> 
> >>>>>>>>>>> What we see with Fedora 18 selinux on the backup
> >>>>>>>>>>> servers block everything. When I mean everything it
> >>>>>>>>>>> seems to block almost all operations from getattr to
> >>>>>>>>>>> relabel to unlink, name it, it is blocked.
> >>>>>>>>>> 
> >>>>>>>>>>> This pretty much just worked for Fedora 16 and 17.
> >>>>>>>>>> 
> >>>>>>>>>>> 
> >>>>>>>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
> >>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>>>> 
> >>>>>>> Could you send me a compresses audit.log?
> >>>>>>> 
> >>>>>>>> Attached bzip2 file.
> >>>>>>> 
> >>>>>>>> 
> >>>> 
> >>>> This looks like you are having your rsync server accepts files from
> >>>> a remote machine and then writing them to anywhere on the local
> >>>> machine. Meaning you really need to have rules like:
> >>>> 
> >>>>> Not really, the rsync configuration file defines where the back ups
> >>>>> go by system all under one directory. So one of my previous
> >>>>> questions was can we identify that area to selinux? Sould we
> >>>>> relabel the back up area? If we define it some how then we assume a
> >>>>> complete relabel of the storage would do the right thing.
> >>>> 
> >>>> 
> >>>> 
> >>>> allow rsync_t file_type:file    create_file_perms;
> >>>> 
> >>>> Or a boolean like ftp_full_access
> >>>> 
> >>>> tunable_policy(`ftpd_full_access',` allow ftpd_t self:capability { 
> >>>> dac_override dac_read_search };
> >>>> files_manage_non_security_files(ftpd_t) ')
> >>>> 
> >>>> FOr rsync.
> >>>>> 
> > 
> > I thought the way you were supposed to use rsync was to pick a subdir
> > where rsync would write its data to, and then label this rsync_data_t. But
> > in your case it looks like the rsync server is trying to maintain the
> > labels that it gets from the remote end?  If it is not actually trying to
> > overwrite local labels.
> > 
> >> Ah, the answer I have been trying to get to. The policies expect the back
> >> up area to be labeled rsync_data_t. So the fix is not to preserve labels
> >> and to define to selinux the back up area by labeling it to rsync_data_t.
> >> That should do it. In all the researching I never found or remember
> >> seeing that the back up area should be labled rsync_data_t. Thanks
> > 
> >> 
> 
> man rsync_selinux
> ...
>        rsync_data_t
> 
>        -  Set files with the rsync_data_t type, if you want to treat the files
>        as rsync content.

Egg on face, missed that information somehow. Thanks Dan. Now if there
were just a better/faster way to change the labels to rsync_data_t.
Still experimenting on rsync options to not preserve labels. There seems
to be no direct documentation on this. Many references on the internet
indicate to remove the -X option, but that does not so far seem to be
the complete answer.

> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlD++NUACgkQrlYvE4MpobMOYQCg5+fbjD1VU8GfIPh3rBHcf1RS
> gJ0AoKeT/BPPIiMwt8B2xv43+B91wg/K
> =xu4O
> -----END PGP SIGNATURE-----
>

More information about the selinux mailing list