Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   rsyncd and pre-xfer/post-xfer exec problem with FC8 selinux (http://www.linux-archive.org/fedora-selinux-support/115061-rsyncd-pre-xfer-post-xfer-exec-problem-fc8-selinux.html)

Przemyslaw Sztoch 06-28-2008 10:01 AM
rsyncd and pre-xfer/post-xfer exec problem with FC8 selinux
 
Running fully updated Fedora 8, trying to upload somefiles via rsync, and
getting a couple of denials (on server with xinetd&rsyncd):

avc: denied { read } for pid=20530 comm="rsync" name="sh" dev=dm-0
ino=1507433 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file

avc: denied { execute } for pid=20530 comm="rsync" name="bash" dev=dm-0
ino=1507343 sc
ontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

avc: denied { read } for pid=20530 comm="rsync" name="bash" dev=dm-0
ino=1507343 scont
ext=system_u:system_r:rsync_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

avc: denied { execute_no_trans } for pid=20530 comm="rsync"
path="/bin/bash" dev=dm-0
ino=1507343 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

avc: denied { getattr } for pid=20530 comm="sh" path="/bin/bash" dev=dm-0
ino=1507343
scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

My rsyncd.conf:
use chroot = yes
max connections = 50
log file = /var/log/rsync.log
uid = autobackup
gid = users

[autobackup]
path = /opt/autobackup
read only = no
write only = yes
list = no
uid = autobackup
incoming chmod = u=rw,go-rwx
transfer logging = yes
pre-xfer exec = /usr/local/bin/autobackup-hook pre
post-xfer exec = /usr/local/bin/autobackup-hook post

What should I do to use pre/post scripts in rsync?

--
View this message in context: http://www.nabble.com/rsyncd-and-pre-xfer-post-xfer-exec-problem-with-FC8-selinux-tp18161913p18161913.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 06-29-2008 12:40 PM
rsyncd and pre-xfer/post-xfer exec problem with FC8 selinux
 
Przemyslaw Sztoch wrote:
> Running fully updated Fedora 8, trying to upload somefiles via rsync, and
> getting a couple of denials (on server with xinetd&rsyncd):
>
> avc: denied { read } for pid=20530 comm="rsync" name="sh" dev=dm-0
> ino=1507433 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
>
> avc: denied { execute } for pid=20530 comm="rsync" name="bash" dev=dm-0
> ino=1507343 sc
> ontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>
> avc: denied { read } for pid=20530 comm="rsync" name="bash" dev=dm-0
> ino=1507343 scont
> ext=system_u:system_r:rsync_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>
> avc: denied { execute_no_trans } for pid=20530 comm="rsync"
> path="/bin/bash" dev=dm-0
> ino=1507343 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>
> avc: denied { getattr } for pid=20530 comm="sh" path="/bin/bash" dev=dm-0
> ino=1507343
> scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>
> My rsyncd.conf:
> use chroot = yes
> max connections = 50
> log file = /var/log/rsync.log
> uid = autobackup
> gid = users
>
> [autobackup]
> path = /opt/autobackup
> read only = no
> write only = yes
> list = no
> uid = autobackup
> incoming chmod = u=rw,go-rwx
> transfer logging = yes
> pre-xfer exec = /usr/local/bin/autobackup-hook pre
> post-xfer exec = /usr/local/bin/autobackup-hook post
>
> What should I do to use pre/post scripts in rsync?
>
Did not know these existed. What do you do in these scripts?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Przemysław Sztoch 06-29-2008 09:15 PM
rsyncd and pre-xfer/post-xfer exec problem with FC8 selinux
 
Daniel J Walsh pisze:
> Przemyslaw Sztoch wrote:
>> What should I do to use pre/post scripts in rsync?
> Did not know these existed. What do you do in these scripts?
I.e. (of course I talks about rsyncD, not normal rsync mode):
1. Report and e-mail notification.
2. Filter (deny of transmission) - access lists based at bash scripts
(if/test/for/grep etc)


Rsync should have access to bash and to exec new type for rsync_scripts_t.
Of course bool selinux parametr to enable access to rsync_scripts_t will
be great.


--
Przemysław Sztoch <psztoch!at!finn.pl>
LTC Sp. z o.o.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 06:59 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.