On Thu, 9 Jul 2009 13:15:08 +1000
Scott Radvan <sradvan(a)redhat.com> wrote:
Hi all,
Having a bit of trouble with rsync on F11 for the managing confined
services book I am working on.
I am trying to demonstrate the allow_rsync_anon_write boolean as a
configuration example by invoking a denial and detailing the
subsequent work-around, but rsyncd is happily letting me anonymously
read and write files across the network no matter the state of the
boolean.
The default install of F11 I'm using as a server has a simple 'files'
rsyncd module (in daemon mode) set up in rsyncd.conf which by itself
should allow access anonymously, but my understanding is that SELinux
should still over-ride this and stop anonymous writes even with this
loose rsyncd setup.
/etc/rsyncd.conf:
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
local file = /var/run/rsync.lock
[files]
path = /srv/files
comment = file area
read only = false
>From the F11 client:
$ rsync -avHPAX 100M_file <server_addr>::files
sending incremental file list
100M_file
104857600 100% 52.37MB/s 0:00:01 (xfer#1, to-check=0/1)
sent 104870493 bytes received 27 bytes 41948208.00 bytes/sec
total size is 104857600 speedup is 1.00
$
My rsync command is entered so that it will preserve extended
attributes (-X) and ACLs (-A), as shown in rsync(1).
But I am getting no denials or errors, SELinux does not seem to be
having a problem with me doing anonymous writes/reads with
allow_rsync_anon_write --> off
Perhaps I'm doing something wrong altogether, or misinterpreting this
boolean, but I would have thought SELinux would have a problem with me
performing this rsync operation while that boolean is off.
Further, rsync_selinux(8) says:
"SELinux requires files to have an extended attribute to define the
file type. Policy governs the access daemons have to these files. If
you want to share files using the rsync daemon, you must label the
files and directories public_content_t"
But my manually-created path for rsync files is var_t, as is the file
I copied over, with no denial mentioning public_content_t - is this
man page out of date?
My problem is that it all works too easily! I would have thought
SELinux would not at all be happy with what I'm doing, but I'm yet to
get a single denial.
The boolean controls the rsync daemon's ability to write to
public_content_rw_t files. The "anon" part of the boolean's name is
historical baggage really - it's nothing to do with how the rsync
daemon's authentication is set up.
Paul.