"Daniel J Walsh wrote:"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/22/2013 03:36 PM, David Highley wrote:
"Daniel J Walsh wrote:"
On 01/22/2013 12:32 PM, David Highley wrote:
"Daniel J Walsh wrote:"
On 01/22/2013 09:39 AM, David Highley wrote:
>> "Daniel J Walsh wrote:" >>> >> On 01/21/2013 06:13 PM, David Highley wrote: >>>>> "Daniel J Walsh wrote:" >>>>>> >>>>> On 01/21/2013 12:49 PM, David Highley wrote: >>>>>>>> "Daniel J Walsh wrote:" >>>>>>>>> >>>>>>>> On 01/18/2013 09:29 PM, David Highley wrote: >>>>>>>>>>> "David Highley wrote:" >>>>>>>>>>>> >>>>>>>>>>>> "Daniel J Walsh wrote:" >>>>>>>>>>>>> >>>>>>>>>>> On 01/18/2013 09:20 AM, David Highley wrote: >>>>>>>>>>>>>>> Upgraded a test box to Fedora 18 and >>>>>>>>>>>>>>> have tried to get rsync backups to it >>>>>>>>>>>>>>> working. Looked at many discussions >>>>>>>>>>>>>>> about backing up in a selinux >>>>>>>>>>>>>>> environment and all discussions >>>>>>>>>>>>>>> seemed to be incomplete. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Most indicate you should not keep >>>>>>>>>>>>>>> selinux labels, but none of those >>>>>>>>>>>>>>> discussion indicate what options to >>>>>>>>>>>>>>> change. After working on a thousand >>>>>>>>>>>>>>> line policy file I'm beginning to >>>>>>>>>>>>>>> think you just want to completely >>>>>>>>>>>>>>> turn off any audit of the rsync >>>>>>>>>>>>>>> domain. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Is this how we should approach >>>>>>>>>>>>>>> backups? If you do not preserve >>>>>>>>>>>>>>> selinux labels what should the backup >>>>>>>>>>>>>>> location get labeled to? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm surprised as long as selinux has >>>>>>>>>>>>>>> been in use that a template with >>>>>>>>>>>>>>> details has not been defined for >>>>>>>>>>>>>>> this. By the way I had just submitted >>>>>>>>>>>>>>> an enhancement bug report for rsync >>>>>>>>>>>>>>> with examples of getting it to >>>>>>>>>>>>>>> function with systemd control. -- >>>>>>>>>>>>>>> selinux mailing list >>>>>>>>>>>>>>> selinux@lists.fedoraproject.org >>>>>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>>>> >> >>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
Does this help?
>>>>>>>>>>> >>>>>>>>>>> http://danwalsh.livejournal.com/61646.html >>>>>>>>>>>>> >>>>>>>>>>>>> I had found and read this information, >>>>>>>>>>>>> but was not sure from it and the other >>>>>>>>>>>>> discussions that it was the right >>>>>>>>>>>>> direction and if the right direction that >>>>>>>>>>>>> it had complete information for doing the >>>>>>>>>>>>> implementation. >>>>>>>>>>>>> >>>>>>>>>>>>> Has anyone tried this and has it worked >>>>>>>>>>>>> out? Do you define the backup area as >>>>>>>>>>>>> unconfined_u and relabel everything to >>>>>>>>>>>>> that? >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> OK, making rsync_t and unconfined domain >>>>>>>>>>>> gets rid of the AVCs. I still have concerns >>>>>>>>>>>> that it is just opening up a bad whole in >>>>>>>>>>>> the system. Is there a way of scoping it to >>>>>>>>>>>> only the back up area and or maybe forcing >>>>>>>>>>>> what ever is copied to a benign state by >>>>>>>>>>>> labeling it to something safe? >>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> -- selinux mailing list >>>>>>>>>>>> selinux@lists.fedoraproject.org >>>>>>>>>>>> >>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
- -- selinux mailing list selinux@lists.fedoraproject.org
>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>
>>>>>>>>>>>
Well rsync_t policy if for running rsync as a daemon not as a
>>>>>>>> client. >>>>>>>> >>>>>>>> /usr/lib/systemd/system/rsyncd.service >>>>>>>> >>>>>>>> I just checked a fix into the policy so that only >>>>>>>> rsynd when run as a service will transition to >>>>>>>> rsync_t. But if you run it from a script or an >>>>>>>> application running as initrc_t, it will stay as >>>>>>>> the current domain. >>>>>>>> >>>>>>>>> Thanks, will check again when it is available. We >>>>>>>>> are using rsync as daemon spond by systemd. >>>>>>>> >>>>>>>> >>>>>>>> If you are only running rsync as a client, adding >>>>>>>> unconfined_domain(rsync_t) will not give it more >>>>>>>> privs that initrc_t already has. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>> >>>>> Ok then that is different, what is broken for you? >>>>> Without the unconfined_domain(rsync_t)? >>>>> >>>>> Sorry for the confusion. >>>>> >>>>>> OK, maybe the issue of confusion is what is the client >>>>>> and what is the server in the process. We have systems >>>>>> that we back up to, servers. They run rsyncd via >>>>>> systemd port activation requests. We have clients that >>>>>> run cron jobs to push back ups to one or more backup >>>>>> systems. >>>>> >>>>>> What we see with Fedora 18 selinux on the backup >>>>>> servers block everything. When I mean everything it >>>>>> seems to block almost all operations from getattr to >>>>>> relabel to unlink, name it, it is blocked. >>>>> >>>>>> This pretty much just worked for Fedora 16 and 17. >>>>> >>>>>> >>>>> -- selinux mailing list selinux@lists.fedoraproject.org >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >> Could you send me a compresses audit.log? >> >>> Attached bzip2 file. >> >>>
This looks like you are having your rsync server accepts files from a remote machine and then writing them to anywhere on the local machine. Meaning you really need to have rules like:
Not really, the rsync configuration file defines where the back ups go by system all under one directory. So one of my previous questions was can we identify that area to selinux? Sould we relabel the back up area? If we define it some how then we assume a complete relabel of the storage would do the right thing.
allow rsync_t file_type:file create_file_perms;
Or a boolean like ftp_full_access
tunable_policy(`ftpd_full_access',` allow ftpd_t self:capability { dac_override dac_read_search }; files_manage_non_security_files(ftpd_t) ')
FOr rsync.
I thought the way you were supposed to use rsync was to pick a subdir where rsync would write its data to, and then label this rsync_data_t. But in your case it looks like the rsync server is trying to maintain the labels that it gets from the remote end? If it is not actually trying to overwrite local labels.
Ah, the answer I have been trying to get to. The policies expect the back up area to be labeled rsync_data_t. So the fix is not to preserve labels and to define to selinux the back up area by labeling it to rsync_data_t. That should do it. In all the researching I never found or remember seeing that the back up area should be labled rsync_data_t. Thanks
man rsync_selinux ... rsync_data_t
- Set files with the rsync_data_t type, if you want to treat the files as rsync content.
Egg on face, missed that information somehow. Thanks Dan. Now if there were just a better/faster way to change the labels to rsync_data_t. Still experimenting on rsync options to not preserve labels. There seems to be no direct documentation on this. Many references on the internet indicate to remove the -X option, but that does not so far seem to be the complete answer.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD++NUACgkQrlYvE4MpobMOYQCg5+fbjD1VU8GfIPh3rBHcf1RS gJ0AoKeT/BPPIiMwt8B2xv43+B91wg/K =xu4O -----END PGP SIGNATURE-----
selinux@lists.fedoraproject.org