-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/29/2013 10:57 PM, David Highley wrote:
To summarize what the solution was for doing rsync back ups on Fedora
18
where we have clients initiating rsync back ups via cron jobs to back up
servers where rsync is run by connection requests via systemd control.
- Stopped preserving selinux attributes by removing the -X option from the
rsync command. - Relabel the back up storage are by doing an semanage
fcontext -a -t rsync_data_t </path>'(/.*)?' - On the back up servers;
setsebool -P rsync_client on
We still ended up needing the following policy: policy_module(my_rsync,
1.0) require { type rsync_data_t; type rsync_t; class sock_file getattr;
class capability net_admin; }
#============= rsync_t ============== allow rsync_t rsync_data_t:sock_file
getattr; allow rsync_t self:capability net_admin;
Dan Walsh believes the last rule maybe a kernel bug which showed up today
on Fedora 16 with kernel version 3.6.11-4 update. If you want to be able to
query the back up server by doing an rsync <host>:: we need this rule for
sshd: allow sshd_t rsync_data_t:file read;
Should we submit any bug reports from this effort? If so, which subsystems
should they be submitted against. Dan thank you for all the support effort
to resolve these issues. -- selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes open a bug report on selinux-policy, and we will follow up on it there.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlEJIm0ACgkQrlYvE4MpobMKfwCbB/LYKN3ZqZb+brwXBR5anRJg
3zYAnitO+EPjpXLQ+zJ+hvMdtL2QwBbg
=CLp6
-----END PGP SIGNATURE-----