On Thu, 9 Jul 2009 13:15:08 +1000 Scott Radvan <sradvan@xxxxxxxxxx> wrote: > Hi all, > > > Having a bit of trouble with rsync on F11 for the managing confined > services book I am working on. > > I am trying to demonstrate the allow_rsync_anon_write boolean as a > configuration example by invoking a denial and detailing the > subsequent work-around, but rsyncd is happily letting me anonymously > read and write files across the network no matter the state of the > boolean. > > The default install of F11 I'm using as a server has a simple 'files' > rsyncd module (in daemon mode) set up in rsyncd.conf which by itself > should allow access anonymously, but my understanding is that SELinux > should still over-ride this and stop anonymous writes even with this > loose rsyncd setup. > > /etc/rsyncd.conf: > > log file = /var/log/rsyncd.log > pid file = /var/run/rsyncd.pid > local file = /var/run/rsync.lock > > [files] > path = /srv/files > comment = file area > read only = false > > > >From the F11 client: > > $ rsync -avHPAX 100M_file <server_addr>::files > sending incremental file list > 100M_file > 104857600 100% 52.37MB/s 0:00:01 (xfer#1, to-check=0/1) > > sent 104870493 bytes received 27 bytes 41948208.00 bytes/sec > total size is 104857600 speedup is 1.00 > > $ > > My rsync command is entered so that it will preserve extended > attributes (-X) and ACLs (-A), as shown in rsync(1). > > But I am getting no denials or errors, SELinux does not seem to be > having a problem with me doing anonymous writes/reads with > allow_rsync_anon_write --> off > > Perhaps I'm doing something wrong altogether, or misinterpreting this > boolean, but I would have thought SELinux would have a problem with me > performing this rsync operation while that boolean is off. > > Further, rsync_selinux(8) says: > > "SELinux requires files to have an extended attribute to define the > file type. Policy governs the access daemons have to these files. If > you want to share files using the rsync daemon, you must label the > files and directories public_content_t" > > But my manually-created path for rsync files is var_t, as is the file > I copied over, with no denial mentioning public_content_t - is this > man page out of date? > > My problem is that it all works too easily! I would have thought > SELinux would not at all be happy with what I'm doing, but I'm yet to > get a single denial. The boolean controls the rsync daemon's ability to write to public_content_rw_t files. The "anon" part of the boolean's name is historical baggage really - it's nothing to do with how the rsync daemon's authentication is set up. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
