[Gllug] SeLinux and Xinetd & Rsync

Stuart Sears stuart at sjsears.com
Wed May 16 21:46:56 UTC 2007

Alain Williams wrote:
> On Wed, May 16, 2007 at 08:30:49PM +0100, Stuart Sears wrote:
<snip lots of stuff about which info I wanted>

> /etc/rsyncd.conf did not already exist, so I just made my own. I did
> not label it.

did you by any chance create it in /tmp and then mv it into place?
mv usually does not relabel files when moving them.

> avc:  denied  { read } for  pid=10312
This is what rsync tried to do

> comm="rsync" name="rsyncd.conf" dev=dm-0 ino=67420
> scontext=user_u:system_r:rsync_t:s0
This is the security context of the rsync process

> tcontext=user_u:object_r:tmp_t:s0
and this is the security context of the file it is trying to read

tmp_t is normally given to files in /tmp on creation - they pick up the
default context label from their parent directory.

<snip lots of output>
> None of which leaves me much the wiser, how do I label
> /etc/rsyncd.conf & what do I label it as ?

you might try
# restorecon -v /etc/rsyncd.conf
which will set the file's label according to the system policy (and tell
you what it's doing) or if that seems to not help,
# chcon -t etc_t /etc/rsyncd.conf
- the semanage command you ran does not show a specific type for rsync
config files, so they could well just have etc_t (generic /etc) labels.
which may set the file back to what it should have

> I must say that I feel ignorant as to how this all works, is there a
> readable & practical intro that you could recommend ?

well, you could come on one of our courses... :)
failing that, these seem okay...
which is really long, so could also be found here:
(I hope)
there is some interesting stuff at http://www.tresys.com and
http://www.nsa.gov as well.

###### stuff you didn't really ask for ######
a really rough (and I suppose in some ways technically inaccurate) summary:
SELinux (as used in RHEL and its derivatives)  is all about security
labels - processes have them (they're known as domains in this context),
and files have them (where we call them types).

The SELinux policy has rules permitting 'source' domains (labels on
running processes) to perform certain actions ('access vectors', like
read, exec, write etc) on 'target' types (labels on files/network
sockets/anything else that a process is attempting to access)
each domain will have a limited set of permissions, hopefully only those
that it requires to do its job.

restrictions are applied roughly like this (and roughly in this order):
1. does the policy permit rsync_t to read files of this type?
2. does the user/group rsyncd uses have read access to the file?

because it relies on security 'labels', making sure that these are
correct is an important part of policy maintenance. Mostly this should
not involve an enormous amount of extra work but there are some things
that can bite you, one of which is that
mv /tmp/myfile /etc/myfile
will not change the labelling of myfile to reflect that it is now in
/etc rather than /tmp (unless you insist that it should)

Most protected daemons are not permitted to do stuff to files labelled
tmp_t because this can be a security risk.

incidentally rsync_exec_t is the type on a binary (executable) file -
the rsync binary should have this. config files will not have.
if you ls -Z on /usr/sbin you should see quite a few *_exec_t labels.

Well, that's a very long-winded answer, which may contain some useful
info. Hopefully.

Kind Regards

Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list