Re: running rsync as root to preserve contexts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2009-01-14 at 11:44 +1000, Murray McAllister wrote:
> Hi,
> 
> I am not sure how rsync works, but should it have to be run as the root 
> user to preserve contexts?

Only if SELinux is disabled.  If SELinux is disabled, then you have to
be root or rather have CAP_SYS_ADMIN to set anything in the "security."
namespace.  If SELinux is enabled, then a process can set the
security.selinux attribute if it passes a set of SELinux permission
checks based on the SELinux contexts, independent of whether it is root.

I think perhaps the fundamental problem is that they are just trying to
use the generic xattr code rather than providing specific handling for
SELinux contexts using the libselinux interfaces, just as they provide
specific handling for ACLs using libacl.

> $ pwd
> /home/murray
> 
> $ mkdir other
> $ ls -dZ other/
> drwxrwxr-x  murray murray unconfined_u:object_r:user_home_t:s0 other/
> 
> $ touch file && chcon -t samba_share_t file
> $ ls -Z file
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> $ rsync -aXHv file other/
> sending incremental file list
> file
> 
> sent 122 bytes  received 31 bytes  102.00 bytes/sec
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:user_home_t:s0 file
> 
> # samba_share_t type was not preserved.
> 
> $ sudo rsync -aXHv file other/
> sending incremental file list
> 
> sent 128 bytes  received 17 bytes  290.00 bytes/sec
> 
> # running as sudo sends more bytes (previously 122).
> 
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> # samba_share_t type was preserved.
> 
> I am using:
> 
> rsync-3.0.4-0.fc10.i386
> openssh-askpass-5.1p1-3.fc10.i386
> openssh-5.1p1-3.fc10.i386
> openssh-clients-5.1p1-3.fc10.i386
> libssh2-0.18-7.fc9.i386
> openssh-server-5.1p1-3.fc10.i386
> 
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
> 
> Cheers.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux