On 08/14/2009 07:55 AM, Stephen Smalley wrote: > On Wed, 2009-08-12 at 16:36 -0400, Daniel J Walsh wrote: >> On 08/11/2009 05:30 PM, Mike Cloaked wrote: >>> >>> >>> >>> Mike Cloaked wrote: >>>> >>>> >>>> Machines on the LAN have been running backups across the network using an >>>> rsync command within a script which essentially does: >>>> rsync --delete -aXH --exclude blah /opt >>>> home1:/media/usbdrive/BACKUPS/myhostname >>>> and similar for other directories. >>>> >>>> This has worked fine until I installed F11 on some of the machines in the >>>> LAN, with ext4 filesystems on them. >>>> >>>> Trying the same thing in this case gave AVC denials on the machine >>>> (running F10) to which the the external usb drive was attached (and with >>>> an ext3 filesystem to take the backups) >>>> >>>> The AVC contained: >>>> Summary >>>> SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. >>>> >>>> >>> >>> I wonder if this is related to >>> https://bugzilla.redhat.com/show_bug.cgi?id=510649 >> Yes you are trying to put F11 labels on an F10 box. Just setup rsync to not maintain labels. > > Isn't this scenario one of the reasons why we introduced the deferred > context mapping support? If he allowed rsync mac_admin permission, it > could in fact store the unknown labels on disk on the F10 box and later > read them for restoring to the F11 system, right? > Yes that would work, but I thought we were frowning on this. The files would also be unusable by any confined processes on the F10 machine, I am not sure what would happen with the association denied, errors. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
