I'm using Fedora Core 6, and trying to start a rsync daemon via xinetd. The default configuration is:
# default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = no socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID }
With this rsyncd.conf:
motd file = /etc/rsyncd.motd pid file = /var/run/rsyncd.pid port = 873 uid = rsyncd gid = mirror use chroot = yes max connections = 10 log file = /var/log/rsyncd.log read only = yes hosts allow = 127.0.0.1, ::1, etc.... #hosts deny = 0.0.0.0/0, :: ignore nonreadable = yes transfer logging = yes timeout = 600 dont compress = *
[fedora-linux-core] path = /srv/ftp/pub/fedora/linux/core comment = Fedora Linux Core
[fedora-linux-core-updates] path = /srv/ftp/pub/fedora/linux/core/updates comment = Fedora Linux Core Updates
[fedora-linux-extras] path = /srv/ftp/pub/fedora/linux/extras comment = Fedora Linux Extras
[fedora-linux-core-test] path = /srv/ftp/pub/fedora/linux/core/test comment = Fedora Linux Core Test
[fedora-linux-releases] path = /srv/ftp/pub/fedora/linux/releases comment = Fedora Linux Releases
[fedora-linux-development] path = /srv/ftp/pub/fedora/linux/development comment = Fedora Linux Development
[fedora-enchilada] path = /srv/ftp/pub/fedora comment = Fedora - The whole enchilada
[fedora-linux-updates] path = /srv/ftp/pub/fedora/linux/updates comment = Fedora Linux Updates
[fedora-web] path = /srv/ftp/pub/fedora/web comment = Web content for Fedora Linux mirrors
I get these AVCs when running from xinetd and making a client connection that I don't get if I start the daemon directly via "rsync --daemon" as root:
type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435 scontext=user_u:system_r:rsync_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221 success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0 ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) type=AVC_PATH msg=audit(1192132336.713:3464): path="/var/run/rsyncd.lock"
type=AVC msg=audit(1192132400.044:3465): avc: denied { bind } for pid=8499 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1192132400.044:3465): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf8f4674 a2=4df50ff4 a3=3 items=0 ppid=8167 pid=8499 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null)
I tried creating and loading a policy module:
# grep "rsync" /var/log/audit/audit.log | audit2allow -M rsyncd # semodule -i rsyncd.pp
Here is rsyncd.te:
module rsyncd 1.0;
require { type var_run_t; type rsync_t; class netlink_route_socket create; class file { read write }; }
#============= rsync_t ============== allow rsync_t self:netlink_route_socket create; allow rsync_t var_run_t:file { read write };
But I still get these AVCs:
type=AVC msg=audit(1192139751.238:3586): avc: denied { bind } for pid=9311 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1192139751.238:3586): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfbb6144 a2=4df50ff4 a3=3 items=0 ppid=8732 pid=9311 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null)
Additionally, when using xinetd I don't ever get any log messages in /var/log/rsyncd.log like I do when I run "rsync --daemon" directly:
2007/10/11 17:08:01 [8613] rsyncd version 2.6.9 starting, listening on port 873 2007/10/11 17:08:13 [8616] connect from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 17:08:13 [8616] rsync on fedora-enchilada/linux/ from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 21:08:13 [8616] building file list 2007/10/11 21:08:13 [8616] sent 1629 bytes received 106 bytes total size 19
I still have a problem with rsyncd.lock on Fedora 9.
The symptoms are that after "a while"--several days perhaps, rsync transfers fail with this message:
@ERROR: failed to open lock file rsync error: error starting client-server protocol (code 5) at main.c(1296) [receiver=2.6.8]
Here is the lock file:
-rw------- root root system_u:object_r:var_run_t:s0 /var/run/rsyncd.lock
AVC messages:
type=AVC msg=audit(1214969369.745:4847): avc: denied { lock } for pid=32590 comm="rsync" path="/var/run/rsyncd.lock" dev=dm-3 ino=106537 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1214969379.283:4850): avc: denied { read write } for pid=32594 comm="rsync" name="rsyncd.lock" dev=dm-3 ino=106537 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
This policy module fixes the issue:
module rsync 1.0;
require { type var_run_t; type rsync_t; class file { read write lock }; }
#============= rsync_t ============== allow rsync_t var_run_t:file { read write lock };
On Thu, Oct 11, 2007 at 06:01:25PM -0400, Chuck Anderson wrote:
I'm using Fedora Core 6, and trying to start a rsync daemon via xinetd.
type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435 scontext=user_u:system_r:rsync_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221 success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0 ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) type=AVC_PATH msg=audit(1192132336.713:3464): path="/var/run/rsyncd.lock"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chuck Anderson wrote:
I still have a problem with rsyncd.lock on Fedora 9.
The symptoms are that after "a while"--several days perhaps, rsync transfers fail with this message:
@ERROR: failed to open lock file rsync error: error starting client-server protocol (code 5) at main.c(1296) [receiver=2.6.8]
Here is the lock file:
-rw------- root root system_u:object_r:var_run_t:s0 /var/run/rsyncd.lock
AVC messages:
type=AVC msg=audit(1214969369.745:4847): avc: denied { lock } for pid=32590 comm="rsync" path="/var/run/rsyncd.lock" dev=dm-3 ino=106537 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1214969379.283:4850): avc: denied { read write } for pid=32594 comm="rsync" name="rsyncd.lock" dev=dm-3 ino=106537 scontext=unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
This policy module fixes the issue:
module rsync 1.0;
require { type var_run_t; type rsync_t; class file { read write lock }; }
#============= rsync_t ============== allow rsync_t var_run_t:file { read write lock };
On Thu, Oct 11, 2007 at 06:01:25PM -0400, Chuck Anderson wrote:
I'm using Fedora Core 6, and trying to start a rsync daemon via xinetd.
type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435 scontext=user_u:system_r:rsync_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221 success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0 ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) type=AVC_PATH msg=audit(1192132336.713:3464): path="/var/run/rsyncd.lock"
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Chuck the problem here is labeling.
chcon -t rsync_var_run_t /var/run/rsyncd.lock
I will make this the default label in Update 76
selinux@lists.fedoraproject.org
-
Chuck Anderson -
Daniel J Walsh