Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
---------------------------------*8<* --------------------------------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13).
---------------------------------*8<* --------------------------------------------
Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
Other testing data:
1) I tested this with "SELinux" disabled and rsync succeeds.
2) I tested this with "SELinux" enabled and launching process from terminal. In this case "rsync" works fine. So, it looks like it is something to do with "SELinux permissions" to process which do not have tty?
3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
Thanks in advance,
Sachin
Hi Sachin,
Before looking into the policy differences between the two systems... Is there any reason you're not patching the RHEL6.6 system?
If if all works under RHEL6.8 then patching the RHEL6.6 system could get your daemon working.
Cheers
Phil
From: Sachin Gaikwad sachin.kernel@gmail.com To: selinux@lists.fedoraproject.org Date: 14/02/2017 15:17 Subject: SELinux enabled + rsync + Permission denied (13)
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
---------------------------------8< --------------------------------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13).
---------------------------------8< --------------------------------------------
Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
Other testing data:
1) I tested this with "SELinux" disabled and rsync succeeds.
2) I tested this with "SELinux" enabled and launching process from terminal. In this case "rsync" works fine. So, it looks like it is something to do with "SELinux permissions" to process which do not have tty?
3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
Thanks in advance,
Sachin_______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Am 14.02.2017 um 05:16 schrieb Sachin Gaikwad:
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
---------------------------------/8</--------------------------------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13).
---------------------------------/8</--------------------------------------------
Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
To start troubleshooting a SELinux problem i normally start with the aureport.
To get AVC message report about what has been blocked by SELinux within the last 10min: sudo aureport --avc --start recent
Detailed messages for the last 10min: sudo ausearch -m USER_AVC,AVC,SELINUX_ERR --start recent
- On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
so the easiest solution is maybe upgrade to EL 6.8 and get all the current (including *security*) updates?
- Thomas
On 02/14/2017 05:16 AM, Sachin Gaikwad wrote:
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
Do you have SELinux policy for that daemon?
---------------------------------/8</--------------------------------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13).
---------------------------------/8</--------------------------------------------
Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
Your daemon runs in some SELinux domain and this domain doesn't have access to /home/foobar/source and /mnt/other_volume/testData.
Could you reproduce the scenario and then attach output of: # ausearch -m AVC -ts recent
Other testing data:
I tested this with "SELinux" disabled and rsync succeeds.
I tested this with "SELinux" enabled and launching process from
terminal. In this case "rsync" works fine. So, it looks like it is something to do with "SELinux permissions" to process which do not have tty?
There is a difference between run daemon using "service" command and run it from terminal.
If you run it from terminal, in most cases daemon will inherit user SELinux domain, which is in "99%" unconfined_t domain. SELinux is not in game when you run it from terminal.
- On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
Okay, I would say issue will be in old policy from RHEL-6.6, but if you'll attach AVCs, we can create workaround for you.
Thanks, Lukas.
Thanks in advance,
Sachin
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
On Tue, Feb 14, 2017 at 2:42 PM, Lukas Vrabec lvrabec@redhat.com wrote:
On 02/14/2017 05:16 AM, Sachin Gaikwad wrote:
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
Do you have SELinux policy for that daemon?
---------------------------------/8</-----------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13).
---------------------------------/8</-----------------------
Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
Your daemon runs in some SELinux domain and this domain doesn't have access to /home/foobar/source and /mnt/other_volume/testData.
Could you reproduce the scenario and then attach output of: # ausearch -m AVC -ts recent
Other testing data:
I tested this with "SELinux" disabled and rsync succeeds.
I tested this with "SELinux" enabled and launching process from
terminal. In this case "rsync" works fine. So, it looks like it is something to do with "SELinux permissions" to process which do not have tty?
There is a difference between run daemon using "service" command and run it from terminal.
If you run it from terminal, in most cases daemon will inherit user SELinux domain, which is in "99%" unconfined_t domain. SELinux is not in game when you run it from terminal.
- On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
Okay, I would say issue will be in old policy from RHEL-6.6, but if you'll attach AVCs, we can create workaround for you.
Sorry for late response on this one. Here is the AVC output when rsync error happens:
bash # sudo ausearch -m USER_AVC,AVC,SELINUX_ERR --start recent ---- time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.713:582): arch=c000003e syscall=80 success=no exit=-13 a0=245a9d0 a1=1 a2=0 a3=383437432d363339 items=0 ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.713:582): avc: denied { search } for pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir ---- time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.714:583): arch=c000003e syscall=80 success=no exit=-13 a0=245a9b0 a1=1 a2=0 a3=ffffffff items=0 ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.714:583): avc: denied { search } for pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir ---- time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.714:584): arch=c000003e syscall=4 success=no exit=-13 a0=2459360 a1=7fff5e86f6b0 a2=7fff5e86f6b0 a3=0 items=0 ppid=5308 pid=5309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.714:584): avc: denied { getattr } for pid=5309 comm="rsync" path="/tmp/Recover_Files_03-24-2017_3-48pm" dev=dm-0 ino=796146 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
Sachin
Thanks, Lukas.
Thanks in advance,
Sachin
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
----- Original Message -----
From: "Sachin Gaikwad" sachin.kernel@gmail.com To: "Lukas Vrabec" lvrabec@redhat.com Cc: selinux@lists.fedoraproject.org Sent: Friday, March 24, 2017 6:31:45 AM Subject: Re: SELinux enabled + rsync + Permission denied (13)
On Tue, Feb 14, 2017 at 2:42 PM, Lukas Vrabec < lvrabec@redhat.com > wrote:
On 02/14/2017 05:16 AM, Sachin Gaikwad wrote:
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
Do you have SELinux policy for that daemon?
---------------------------------/8</--------------------------------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13).
---------------------------------/8</--------------------------------------------
Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
We have two rsync booleans that could take care of this
rsync_export_all_ro - Allow rsync to export any files/directories read only
or
rsync_full_access - Allow rsync server to manage all files/directories on the system
Your daemon runs in some SELinux domain and this domain doesn't have access to /home/foobar/source and /mnt/other_volume/testData.
Could you reproduce the scenario and then attach output of: # ausearch -m AVC -ts recent
Other testing data:
I tested this with "SELinux" disabled and rsync succeeds.
I tested this with "SELinux" enabled and launching process from
terminal. In this case "rsync" works fine. So, it looks like it is something to do with "SELinux permissions" to process which do not have tty?
There is a difference between run daemon using "service" command and run it from terminal.
If you run it from terminal, in most cases daemon will inherit user SELinux domain, which is in "99%" unconfined_t domain. SELinux is not in game when you run it from terminal.
- On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
Okay, I would say issue will be in old policy from RHEL-6.6, but if you'll attach AVCs, we can create workaround for you.
Sorry for late response on this one. Here is the AVC output when rsync error happens:
bash # sudo ausearch -m USER_AVC,AVC,SELINUX_ERR --start recent
time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.713:582): arch=c000003e syscall=80 success=no exit=-13 a0=245a9d0 a1=1 a2=0 a3=383437432d363339 items=0 ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.713:582): avc: denied { search } for pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.714:583): arch=c000003e syscall=80 success=no exit=-13 a0=245a9b0 a1=1 a2=0 a3=ffffffff items=0 ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.714:583): avc: denied { search } for pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.714:584): arch=c000003e syscall=4 success=no exit=-13 a0=2459360 a1=7fff5e86f6b0 a2=7fff5e86f6b0 a3=0 items=0 ppid=5308 pid=5309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.714:584): avc: denied { getattr } for pid=5309 comm="rsync" path="/tmp/Recover_Files_03-24-2017_3-48pm" dev=dm-0 ino=796146 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
Sachin
Thanks, Lukas.
Thanks in advance,
Sachin
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
On Fri, Mar 24, 2017 at 5:45 PM, Simon Sekidde ssekidde@redhat.com wrote:
----- Original Message -----
From: "Sachin Gaikwad" sachin.kernel@gmail.com To: "Lukas Vrabec" lvrabec@redhat.com Cc: selinux@lists.fedoraproject.org Sent: Friday, March 24, 2017 6:31:45 AM Subject: Re: SELinux enabled + rsync + Permission denied (13)
On Tue, Feb 14, 2017 at 2:42 PM, Lukas Vrabec < lvrabec@redhat.com >
wrote:
On 02/14/2017 05:16 AM, Sachin Gaikwad wrote:
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
Do you have SELinux policy for that daemon?
---------------------------------/8</-----------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13).
---------------------------------/8</-----------------------
Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
We have two rsync booleans that could take care of this
rsync_export_all_ro - Allow rsync to export any files/directories read only
or
rsync_full_access - Allow rsync server to manage all files/directories on the system
I tried setting "rsync_full_access" boolean on RHEL 6.6 system - I get this error:
[bash]# setsebool -P rsync_full_access 1 Boolean rsync_full_access is not defined
Your daemon runs in some SELinux domain and this domain doesn't have
access
to /home/foobar/source and /mnt/other_volume/testData.
Could you reproduce the scenario and then attach output of: # ausearch -m AVC -ts recent
Other testing data:
I tested this with "SELinux" disabled and rsync succeeds.
I tested this with "SELinux" enabled and launching process from
terminal. In this case "rsync" works fine. So, it looks like it is something to do with "SELinux permissions" to process which do not have
tty?
There is a difference between run daemon using "service" command and run
it
from terminal.
If you run it from terminal, in most cases daemon will inherit user
SELinux
domain, which is in "99%" unconfined_t domain. SELinux is not in game
when
you run it from terminal.
- On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
Okay, I would say issue will be in old policy from RHEL-6.6, but if
you'll
attach AVCs, we can create workaround for you.
Sorry for late response on this one. Here is the AVC output when rsync
error
happens:
bash # sudo ausearch -m USER_AVC,AVC,SELINUX_ERR --start recent
time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.713:582): arch=c000003e syscall=80 success=no exit=-13 a0=245a9d0 a1=1 a2=0 a3=383437432d363339 items=0 ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.713:582): avc: denied { search } for pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.714:583): arch=c000003e syscall=80 success=no exit=-13 a0=245a9b0 a1=1 a2=0 a3=ffffffff items=0 ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.714:583): avc: denied { search } for pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 scontext=system_u:system_r:rsync_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
time->Thu Mar 23 06:18:00 2017 type=SYSCALL msg=audit(1490264280.714:584): arch=c000003e syscall=4 success=no exit=-13 a0=2459360 a1=7fff5e86f6b0 a2=7fff5e86f6b0 a3=0 items=0 ppid=5308 pid=5309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) type=AVC msg=audit(1490264280.714:584): avc: denied { getattr } for pid=5309 comm="rsync" path="/tmp/Recover_Files_03-24-2017_3-48pm" dev=dm-0 ino=796146 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
Sachin
Thanks, Lukas.
Thanks in advance,
Sachin
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
-- Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
RHEL 6 policy does not come with "rsync_full_access" boolean.
Have you tried "rsync_export_all_ro"?
It covers the AVCs you submitted previously: allow rsync_t user_home_dir_t : dir { ioctl read getattr lock search open } ; allow rsync_t initrc_tmp_t : dir { ioctl read getattr lock search open } ;
However, I would suggest to get your system up-to date.
On 25/03/17 04:42, Sachin Gaikwad wrote:
On Fri, Mar 24, 2017 at 5:45 PM, Simon Sekidde <ssekidde@redhat.com mailto:ssekidde@redhat.com> wrote:
----- Original Message ----- > From: "Sachin Gaikwad" <sachin.kernel@gmail.com <mailto:sachin.kernel@gmail.com>> > To: "Lukas Vrabec" <lvrabec@redhat.com <mailto:lvrabec@redhat.com>> > Cc: selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > Sent: Friday, March 24, 2017 6:31:45 AM > Subject: Re: SELinux enabled + rsync + Permission denied (13) > > > > On Tue, Feb 14, 2017 at 2:42 PM, Lukas Vrabec < lvrabec@redhat.com <mailto:lvrabec@redhat.com> > wrote: > > > On 02/14/2017 05:16 AM, Sachin Gaikwad wrote: > > > Hi all, > > I am running a daemon process (C++ program) on RHEL 6.6 with SELinux > enabled. This process eventually executes "rsync" to do file-copy > operation. It is failing with following error: > > > Do you have SELinux policy for that daemon? > > > > > ---------------------------------/8</-------------------------------------------- > > rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) > rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": > Permission denied (13). > > ---------------------------------/8</-------------------------------------------- > > Question: Why is rsync failing with this error? I checked permissions of > "source" and "target" and both have permissions for the user. > We have two rsync booleans that could take care of this rsync_export_all_ro - Allow rsync to export any files/directories read only or rsync_full_access - Allow rsync server to manage all files/directories on the system
I tried setting "rsync_full_access" boolean on RHEL 6.6 system - I get this error:
[bash]# setsebool -P rsync_full_access 1 Boolean rsync_full_access is not defined
> > Your daemon runs in some SELinux domain and this domain doesn't have access > to /home/foobar/source and /mnt/other_volume/testData. > > Could you reproduce the scenario and then attach output of: > # ausearch -m AVC -ts recent > > > > > Other testing data: > > 1) I tested this with "SELinux" disabled and rsync succeeds. > > 2) I tested this with "SELinux" enabled and launching process from > terminal. In this case "rsync" works fine. So, it looks like it is > something to do with "SELinux permissions" to process which do not have tty? > > > There is a difference between run daemon using "service" command and run it > from terminal. > > If you run it from terminal, in most cases daemon will inherit user SELinux > domain, which is in "99%" unconfined_t domain. SELinux is not in game when > you run it from terminal. > > > > 3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync > works fine. I compared SELinux configuration of both these systems, but > couldn't find anything to reason it out. If you need, I can attach > SELinux configurations. > > > Okay, I would say issue will be in old policy from RHEL-6.6, but if you'll > attach AVCs, we can create workaround for you. > > > Sorry for late response on this one. Here is the AVC output when rsync error > happens: > > bash # sudo ausearch -m USER_AVC,AVC,SELINUX_ERR --start recent > ---- > time->Thu Mar 23 06:18:00 2017 > type=SYSCALL msg=audit(1490264280.713:582): arch=c000003e syscall=80 > success=no exit=-13 a0=245a9d0 a1=1 a2=0 a3=383437432d363339 items=0 > ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" > exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) > type=AVC msg=audit(1490264280.713:582): avc: denied { search } for > pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 > scontext=system_u:system_r:rsync_t:s0 > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir > ---- > time->Thu Mar 23 06:18:00 2017 > type=SYSCALL msg=audit(1490264280.714:583): arch=c000003e syscall=80 > success=no exit=-13 a0=245a9b0 a1=1 a2=0 a3=ffffffff items=0 ppid=5306 > pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" > exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) > type=AVC msg=audit(1490264280.714:583): avc: denied { search } for > pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173 > scontext=system_u:system_r:rsync_t:s0 > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir > ---- > time->Thu Mar 23 06:18:00 2017 > type=SYSCALL msg=audit(1490264280.714:584): arch=c000003e syscall=4 > success=no exit=-13 a0=2459360 a1=7fff5e86f6b0 a2=7fff5e86f6b0 a3=0 > items=0 ppid=5308 pid=5309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" > exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null) > type=AVC msg=audit(1490264280.714:584): avc: denied { getattr } for > pid=5309 comm="rsync" path="/tmp/Recover_Files_03-24-2017_3-48pm" > dev=dm-0 ino=796146 scontext=system_u:system_r:rsync_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > > Sachin > > > > > Thanks, > Lukas. > > > > Thanks in advance, > > Sachin > > > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> > > > > -- > Lukas Vrabec > SELinux Solutions > Red Hat, Inc. > > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> > > > _______________________________________________ > selinux mailing list -- selinux@lists.fedoraproject.org <mailto:selinux@lists.fedoraproject.org> > To unsubscribe send an email to selinux-leave@lists.fedoraproject.org <mailto:selinux-leave@lists.fedoraproject.org> > -- Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org