Hi all,
Having a bit of trouble with rsync on F11 for the managing confined services book I am working on.
I am trying to demonstrate the allow_rsync_anon_write boolean as a configuration example by invoking a denial and detailing the subsequent work-around, but rsyncd is happily letting me anonymously read and write files across the network no matter the state of the boolean.
The default install of F11 I'm using as a server has a simple 'files' rsyncd module (in daemon mode) set up in rsyncd.conf which by itself should allow access anonymously, but my understanding is that SELinux should still over-ride this and stop anonymous writes even with this loose rsyncd setup.
/etc/rsyncd.conf:
log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid local file = /var/run/rsync.lock
[files] path = /srv/files comment = file area read only = false
From the F11 client:
$ rsync -avHPAX 100M_file <server_addr>::files sending incremental file list 100M_file 104857600 100% 52.37MB/s 0:00:01 (xfer#1, to-check=0/1)
sent 104870493 bytes received 27 bytes 41948208.00 bytes/sec total size is 104857600 speedup is 1.00
$
My rsync command is entered so that it will preserve extended attributes (-X) and ACLs (-A), as shown in rsync(1).
But I am getting no denials or errors, SELinux does not seem to be having a problem with me doing anonymous writes/reads with allow_rsync_anon_write --> off
Perhaps I'm doing something wrong altogether, or misinterpreting this boolean, but I would have thought SELinux would have a problem with me performing this rsync operation while that boolean is off.
Further, rsync_selinux(8) says:
"SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you want to share files using the rsync daemon, you must label the files and directories public_content_t"
But my manually-created path for rsync files is var_t, as is the file I copied over, with no denial mentioning public_content_t - is this man page out of date?
My problem is that it all works too easily! I would have thought SELinux would not at all be happy with what I'm doing, but I'm yet to get a single denial.
What am I doing wrong?
Thanks,
On Thu, 9 Jul 2009 13:15:08 +1000 Scott Radvan sradvan@redhat.com wrote:
Hi all,
Having a bit of trouble with rsync on F11 for the managing confined services book I am working on.
I am trying to demonstrate the allow_rsync_anon_write boolean as a configuration example by invoking a denial and detailing the subsequent work-around, but rsyncd is happily letting me anonymously read and write files across the network no matter the state of the boolean.
The default install of F11 I'm using as a server has a simple 'files' rsyncd module (in daemon mode) set up in rsyncd.conf which by itself should allow access anonymously, but my understanding is that SELinux should still over-ride this and stop anonymous writes even with this loose rsyncd setup.
/etc/rsyncd.conf:
log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid local file = /var/run/rsync.lock
[files] path = /srv/files comment = file area read only = false
From the F11 client:
$ rsync -avHPAX 100M_file <server_addr>::files sending incremental file list 100M_file 104857600 100% 52.37MB/s 0:00:01 (xfer#1, to-check=0/1)
sent 104870493 bytes received 27 bytes 41948208.00 bytes/sec total size is 104857600 speedup is 1.00
$
My rsync command is entered so that it will preserve extended attributes (-X) and ACLs (-A), as shown in rsync(1).
But I am getting no denials or errors, SELinux does not seem to be having a problem with me doing anonymous writes/reads with allow_rsync_anon_write --> off
Perhaps I'm doing something wrong altogether, or misinterpreting this boolean, but I would have thought SELinux would have a problem with me performing this rsync operation while that boolean is off.
Further, rsync_selinux(8) says:
"SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you want to share files using the rsync daemon, you must label the files and directories public_content_t"
But my manually-created path for rsync files is var_t, as is the file I copied over, with no denial mentioning public_content_t - is this man page out of date?
My problem is that it all works too easily! I would have thought SELinux would not at all be happy with what I'm doing, but I'm yet to get a single denial.
The boolean controls the rsync daemon's ability to write to public_content_rw_t files. The "anon" part of the boolean's name is historical baggage really - it's nothing to do with how the rsync daemon's authentication is set up.
Paul.
selinux@lists.fedoraproject.org
-
Paul Howarth -
Scott Radvan