"Daniel J Walsh wrote:" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/18/2013 09:29 PM, David Highley wrote: > > "David Highley wrote:" > >> > >> "Daniel J Walsh wrote:" > >>> > > On 01/18/2013 09:20 AM, David Highley wrote: > >>>>> Upgraded a test box to Fedora 18 and have tried to get rsync > >>>>> backups to it working. Looked at many discussions about backing up > >>>>> in a selinux environment and all discussions seemed to be > >>>>> incomplete. > >>>>> > >>>>> Most indicate you should not keep selinux labels, but none of those > >>>>> discussion indicate what options to change. After working on a > >>>>> thousand line policy file I'm beginning to think you just want to > >>>>> completely turn off any audit of the rsync domain. > >>>>> > >>>>> Is this how we should approach backups? If you do not preserve > >>>>> selinux labels what should the backup location get labeled to? > >>>>> > >>>>> I'm surprised as long as selinux has been in use that a template > >>>>> with details has not been defined for this. By the way I had just > >>>>> submitted an enhancement bug report for rsync with examples of > >>>>> getting it to function with systemd control. -- selinux mailing > >>>>> list selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >>>>> > > Does this help? > > > > http://danwalsh.livejournal.com/61646.html > >>> > >>> I had found and read this information, but was not sure from it and the > >>> other discussions that it was the right direction and if the right > >>> direction that it had complete information for doing the > >>> implementation. > >>> > >>> Has anyone tried this and has it worked out? Do you define the backup > >>> area as unconfined_u and relabel everything to that? > >>> > > > >> OK, making rsync_t and unconfined domain gets rid of the AVCs. I still > >> have concerns that it is just opening up a bad whole in the system. Is > >> there a way of scoping it to only the back up area and or maybe forcing > >> what ever is copied to a benign state by labeling it to something safe? > > > >>> > >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > >> https://admin.fedoraproject.org/mailman/listinfo/selinux > >> > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > Well rsync_t policy if for running rsync as a daemon not as a client. > > /usr/lib/systemd/system/rsyncd.service > > I just checked a fix into the policy so that only rsynd when run as a service > will transition to rsync_t. But if you run it from a script or an application > running as initrc_t, it will stay as the current domain. Thanks, will check again when it is available. We are using rsync as daemon spond by systemd. > > If you are only running rsync as a client, adding unconfined_domain(rsync_t) > will not give it more privs that initrc_t already has. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlD9gmcACgkQrlYvE4MpobNo2ACg6N1zwNOwgWXybHysu/e9gsuf > 2UIAn0FP2313kESfqYzMkEFygiAfhIDO > =Bw8l > -----END PGP SIGNATURE----- > -- Regards, David Highley Highley Recommended, Inc. Phone: (206) 669-0081 2927 SW 339th Street WEB: http://www.highley-recommended.com Federal Way, WA 98023-7732 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
