To summarize what the solution was for doing rsync back ups on Fedora
18 where we have clients initiating rsync back ups via cron jobs to back
up servers where rsync is run by connection requests via systemd
- Stopped preserving selinux attributes by removing the -X option from
the rsync command.
- Relabel the back up storage are by doing an
semanage fcontext -a -t rsync_data_t </path>'(/.*)?'
- On the back up servers; setsebool -P rsync_client on
We still ended up needing the following policy:
class sock_file getattr;
class capability net_admin;
#============= rsync_t ==============
allow rsync_t rsync_data_t:sock_file getattr;
allow rsync_t self:capability net_admin;
Dan Walsh believes the last rule maybe a kernel bug which showed up
today on Fedora 16 with kernel version 3.6.11-4 update. If you want to
be able to query the back up server by doing an rsync <host>:: we need
this rule for sshd:
allow sshd_t rsync_data_t:file read;
Should we submit any bug reports from this effort? If so, which
subsystems should they be submitted against. Dan thank you for all the
support effort to resolve these issues.