Backups with rsync totally broken in Fedora 18
David Highley
dhighley at highley-recommended.com
Mon Jan 21 18:49:16 UTC 2013
"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/18/2013 09:29 PM, David Highley wrote:
> > "David Highley wrote:"
> >>
> >> "Daniel J Walsh wrote:"
> >>>
> > On 01/18/2013 09:20 AM, David Highley wrote:
> >>>>> Upgraded a test box to Fedora 18 and have tried to get rsync
> >>>>> backups to it working. Looked at many discussions about backing up
> >>>>> in a selinux environment and all discussions seemed to be
> >>>>> incomplete.
> >>>>>
> >>>>> Most indicate you should not keep selinux labels, but none of those
> >>>>> discussion indicate what options to change. After working on a
> >>>>> thousand line policy file I'm beginning to think you just want to
> >>>>> completely turn off any audit of the rsync domain.
> >>>>>
> >>>>> Is this how we should approach backups? If you do not preserve
> >>>>> selinux labels what should the backup location get labeled to?
> >>>>>
> >>>>> I'm surprised as long as selinux has been in use that a template
> >>>>> with details has not been defined for this. By the way I had just
> >>>>> submitted an enhancement bug report for rsync with examples of
> >>>>> getting it to function with systemd control. -- selinux mailing
> >>>>> list selinux at lists.fedoraproject.org
> >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>
> > Does this help?
> >
> > http://danwalsh.livejournal.com/61646.html
> >>>
> >>> I had found and read this information, but was not sure from it and the
> >>> other discussions that it was the right direction and if the right
> >>> direction that it had complete information for doing the
> >>> implementation.
> >>>
> >>> Has anyone tried this and has it worked out? Do you define the backup
> >>> area as unconfined_u and relabel everything to that?
> >>>
> >
> >> OK, making rsync_t and unconfined domain gets rid of the AVCs. I still
> >> have concerns that it is just opening up a bad whole in the system. Is
> >> there a way of scoping it to only the back up area and or maybe forcing
> >> what ever is copied to a benign state by labeling it to something safe?
> >
> >>>
> >> -- selinux mailing list selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> Well rsync_t policy if for running rsync as a daemon not as a client.
>
> /usr/lib/systemd/system/rsyncd.service
>
> I just checked a fix into the policy so that only rsynd when run as a service
> will transition to rsync_t. But if you run it from a script or an application
> running as initrc_t, it will stay as the current domain.
Thanks, will check again when it is available. We are using rsync as
daemon spond by systemd.
>
> If you are only running rsync as a client, adding unconfined_domain(rsync_t)
> will not give it more privs that initrc_t already has.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlD9gmcACgkQrlYvE4MpobNo2ACg6N1zwNOwgWXybHysu/e9gsuf
> 2UIAn0FP2313kESfqYzMkEFygiAfhIDO
> =Bw8l
> -----END PGP SIGNATURE-----
>
--
Regards,
David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732
More information about the selinux
mailing list