Hi,

I am not sure how rsync works, but should it have to be run as the root
user to preserve contexts?


$ pwd
/home/murray

$ mkdir other
$ ls -dZ other/
drwxrwxr-x murray murray unconfined_ubject_r:user_home_t:s0 other/

$ touch file && chcon -t samba_share_t file
$ ls -Z file
-rw-rw-r-- murray murray unconfined_ubject_r:samba_share_t:s0 file

$ rsync -aXHv file other/
sending incremental file list
file

sent 122 bytes received 31 bytes 102.00 bytes/sec
total size is 0 speedup is 0.00
$ ls -Z other/
-rw-rw-r-- murray murray unconfined_ubject_r:user_home_t:s0 file

# samba_share_t type was not preserved.

$ sudo rsync -aXHv file other/
sending incremental file list

sent 128 bytes received 17 bytes 290.00 bytes/sec

# running as sudo sends more bytes (previously 122).

total size is 0 speedup is 0.00
$ ls -Z other/
-rw-rw-r-- murray murray unconfined_ubject_r:samba_share_t:s0 file

# samba_share_t type was preserved.

I am using:

rsync-3.0.4-0.fc10.i386
openssh-askpass-5.1p1-3.fc10.i386
openssh-5.1p1-3.fc10.i386
openssh-clients-5.1p1-3.fc10.i386
libssh2-0.18-7.fc9.i386
openssh-server-5.1p1-3.fc10.i386

selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch

Cheers.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

On Wed, 2009-01-14 at 11:44 +1000, Murray McAllister wrote:
> Hi,
>
> I am not sure how rsync works, but should it have to be run as the root
> user to preserve contexts?

Only if SELinux is disabled. If SELinux is disabled, then you have to
be root or rather have CAP_SYS_ADMIN to set anything in the "security."
namespace. If SELinux is enabled, then a process can set the
security.selinux attribute if it passes a set of SELinux permission
checks based on the SELinux contexts, independent of whether it is root.

I think perhaps the fundamental problem is that they are just trying to
use the generic xattr code rather than providing specific handling for
SELinux contexts using the libselinux interfaces, just as they provide
specific handling for ACLs using libacl.

> $ pwd
> /home/murray
>
> $ mkdir other
> $ ls -dZ other/
> drwxrwxr-x murray murray unconfined_ubject_r:user_home_t:s0 other/
>
> $ touch file && chcon -t samba_share_t file
> $ ls -Z file
> -rw-rw-r-- murray murray unconfined_ubject_r:samba_share_t:s0 file
>
> $ rsync -aXHv file other/
> sending incremental file list
> file
>
> sent 122 bytes received 31 bytes 102.00 bytes/sec
> total size is 0 speedup is 0.00
> $ ls -Z other/
> -rw-rw-r-- murray murray unconfined_ubject_r:user_home_t:s0 file
>
> # samba_share_t type was not preserved.
>
> $ sudo rsync -aXHv file other/
> sending incremental file list
>
> sent 128 bytes received 17 bytes 290.00 bytes/sec
>
> # running as sudo sends more bytes (previously 122).
>
> total size is 0 speedup is 0.00
> $ ls -Z other/
> -rw-rw-r-- murray murray unconfined_ubject_r:samba_share_t:s0 file
>
> # samba_share_t type was preserved.
>
> I am using:
>
> rsync-3.0.4-0.fc10.i386
> openssh-askpass-5.1p1-3.fc10.i386
> openssh-5.1p1-3.fc10.i386
> openssh-clients-5.1p1-3.fc10.i386
> libssh2-0.18-7.fc9.i386
> openssh-server-5.1p1-3.fc10.i386
>
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
>
> Cheers.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list