The biggest problem SELinux has with rsync is there is no way to distinguish between the client and the server from an SELinux point of view.
rsync as a daemon
If someone sets up an rsync service to listen for connections they use the /usr/bin/rsync executable. In order to confine this application we label /usr/bin/rsync as rsync_exec_t. The init daemons (init_t, initrc_t) will transition to rsync_t when they execute /usr/bin/rsync. SELinux policy allows share parts of the host, mainly readonly, and allows admins to setup directories labeled rsync_data_t where content could be uploaded to the rsync domain.
There are lots of booleans defined for rsync_t to share data. On Fedora 18, I see.
getsebool -a | grep rsync
postgresql_can_rsync --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> of
to see more info.
rsync as a client.
If you execute rsync as a client from a user script, everything works fine, since we do not transition from unconfined_t or other user domains to rsync_t, rsync runs within the user domain and is able to read/write anything the user process label is allowed to read/write.
If a service that SELinux does not have policy runs runs within the init system and attempts to use rsync as a client it can have problems. You see the service running within the init system that has no policy will run as either init_t or initrc_t. When a process running as init_t or initrc_t executes /usr/bin/rsync (rsync_exec_t), the rsync process will transition to rsync_t and SELinux will treat it as the rsync daemon not as a client.
There are many possible solutions for this problem.
- Best would be to write policy for the init service that is currently running without confinement. I realize that most users will not do this, but you could contact us for help.
- In RHEL5 you could turn on the rsync_disable_trans boolean. Which will stop the transition from initrc_t to rsync_t, and rsync_t would just tun in initrc_t domain, which by default is an unconfined domain.
- You could use audit2allow to add all of the rules to rsync_t to allow it to run as a client.
- You could change the label of /usr/bin/rsync to bin_t using semanage fcontext -m -t bin_t /usr/bin/rsync which would also stop the transition.
- You could make rsync_t an unconfined domain.