Re: SELinux in the way of automated rsync

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

J.L. Coenders wrote:

On Tuesday 01 August 2006 18:15, Paul Howarth wrote:

J.L. Coenders wrote:

On Tuesday 01 August 2006 13:02, Paul Howarth wrote:

J.L. Coenders wrote:

Hi,
I am trying to automate a backup with rsync to a second disc using a
cronjob. I am running fc5. The script works fine when I run it
manually, but if I try to run it as a cronjob it fails with a lot of
rsync errors. When looking at the system logs, I suspect that SELinux
is blocking rsync. How do I correct this?

Messages are like this:
Aug 1 09:09:43 localhost kernel: audit(1154416183.900:651): avc: denied { search } for pid=19905 comm="rsync" name="/" dev=sda1 ino=2 
scontext=system_u:system_r:rsync_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir

That may be a labelling problem on your system.


Could anyone show me to some easy to understand explanation of SELinux?
So far I only find quite complex ones.

SELinux isn't simple, so you're unlikely to find a simple explanation
for it.

What is the top-level directory you are trying to copy using rsync?

Paul.

Hehehe, thanks, I already understood that it probably would not be
simple. One of the Linux magazines I consulted said something similar to
that too.

I am trying to rsync my home, /etc and /var directory to a backup drive.
So that would be /home/user, /etc and /var.

There's no way the standard SELinux policy is going to let you do that,
as there are loads of "sensitive" files there that people shouldn't
normally be able to access using the rsync service. Given the number of
different file types involved, particularly for /etc and /var, it's not
practical to change the rsync policy ro allow access to all of these files.

One way to fix this would be to disable the transition to the rsync_t
domain, so that rsync ran "unconfined" by SELinux when run from cron,
just as it does when run manually.

That's a bit of a sledgehammer approach though. Can you tell us exactly
how you are trying to do this? rsync command directly in crontab file?
Are you running rsync locally or over the network? Are you using a
wrapper script?

And can you post the output of: "sestatus"

Paul.
Btw, if anyone of you has another way of doing this, I am very willing to explore the options. 

Thanks,
Jeroen

rsync policy is for the rsync server not for running it as a client.

The only domain_transition I see is from initrc_t, so if some how your
cron daemon did not transition this could cause the mess up.

Dan

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux