danwalsh (danwalsh) wrote,

rsync and SELinux

I have been pinged by a couple of users having problems with SELinux and rsync.  We began confining the rsync service back in RHEL5.

The biggest problem SELinux has with rsync is there is no way to distinguish between the client and the server from an SELinux point of view.

rsync as a daemon

If someone sets up an rsync service to listen for connections they use the /usr/bin/rsync executable.  In order to confine this application we label /usr/bin/rsync as rsync_exec_t.  The init daemons (init_t, initrc_t) will transition to rsync_t when they execute /usr/bin/rsync. SELinux policy allows share parts of the host, mainly readonly, and allows admins to setup directories labeled rsync_data_t where content could be uploaded to the rsync domain.

There are lots of booleans defined for rsync_t to share data.  On Fedora 18, I see.

getsebool -a | grep rsync
postgresql_can_rsync --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> of

man rsync_selinux

to see more info.

rsync as a client.

If you execute rsync as a client from a user script, everything works fine, since we do not transition from unconfined_t or other user domains to rsync_t, rsync runs within the user domain and is able to read/write anything the user process label is allowed to read/write.

If a service that SELinux does not have policy runs runs within the init system and attempts to use rsync as a client it can have problems.  You see the service running within the init system that has no policy will run as either init_t or initrc_t.  When a process running as init_t or initrc_t executes /usr/bin/rsync (rsync_exec_t), the rsync process will transition to rsync_t and SELinux will treat it as the rsync daemon not as a client. 

There are many possible solutions for this problem. 
  • Best would be to write policy for the init service that is currently running without confinement.   I realize  that most users will not do this, but you could contact us for help.
  • In RHEL5 you could turn on the rsync_disable_trans boolean.  Which will stop the transition from initrc_t to rsync_t, and rsync_t would just tun in  initrc_t domain, which by default is an unconfined domain.
  • You could use audit2allow to add all of the rules to rsync_t to allow it to run as a client.
  • You could change the label of /usr/bin/rsync to bin_t using semanage fcontext -m -t bin_t /usr/bin/rsync which would also stop the transition.
  • You could make rsync_t an unconfined domain.
There are many ways of fixing this problem.  And perhaps I need to talk to the rsync packagers to see if we could figure a better way of handling this in the future. 

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened