-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/21/2013 12:49 PM, David Highley wrote: > "Daniel J Walsh wrote:" >> > On 01/18/2013 09:29 PM, David Highley wrote: >>>> "David Highley wrote:" >>>>> >>>>> "Daniel J Walsh wrote:" >>>>>> >>>> On 01/18/2013 09:20 AM, David Highley wrote: >>>>>>>> Upgraded a test box to Fedora 18 and have tried to get rsync >>>>>>>> backups to it working. Looked at many discussions about >>>>>>>> backing up in a selinux environment and all discussions >>>>>>>> seemed to be incomplete. >>>>>>>> >>>>>>>> Most indicate you should not keep selinux labels, but none of >>>>>>>> those discussion indicate what options to change. After >>>>>>>> working on a thousand line policy file I'm beginning to think >>>>>>>> you just want to completely turn off any audit of the rsync >>>>>>>> domain. >>>>>>>> >>>>>>>> Is this how we should approach backups? If you do not >>>>>>>> preserve selinux labels what should the backup location get >>>>>>>> labeled to? >>>>>>>> >>>>>>>> I'm surprised as long as selinux has been in use that a >>>>>>>> template with details has not been defined for this. By the >>>>>>>> way I had just submitted an enhancement bug report for rsync >>>>>>>> with examples of getting it to function with systemd control. >>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>>> >>>> Does this help? >>>> >>>> http://danwalsh.livejournal.com/61646.html >>>>>> >>>>>> I had found and read this information, but was not sure from it >>>>>> and the other discussions that it was the right direction and if >>>>>> the right direction that it had complete information for doing >>>>>> the implementation. >>>>>> >>>>>> Has anyone tried this and has it worked out? Do you define the >>>>>> backup area as unconfined_u and relabel everything to that? >>>>>> >>>> >>>>> OK, making rsync_t and unconfined domain gets rid of the AVCs. I >>>>> still have concerns that it is just opening up a bad whole in the >>>>> system. Is there a way of scoping it to only the back up area and >>>>> or maybe forcing what ever is copied to a benign state by labeling >>>>> it to something safe? >>>> >>>>>> >>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> > > Well rsync_t policy if for running rsync as a daemon not as a client. > > /usr/lib/systemd/system/rsyncd.service > > I just checked a fix into the policy so that only rsynd when run as a > service will transition to rsync_t. But if you run it from a script or an > application running as initrc_t, it will stay as the current domain. > >> Thanks, will check again when it is available. We are using rsync as >> daemon spond by systemd. > > > If you are only running rsync as a client, adding > unconfined_domain(rsync_t) will not give it more privs that initrc_t > already has. >> > > Ok then that is different, what is broken for you? Without the unconfined_domain(rsync_t)? Sorry for the confusion. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD9pXwACgkQrlYvE4MpobMh+ACfSzBvxAmr4/YGBIalRhDZb4PG 4AIAoLKpOti8B+xESEQk8Y5THXHzy0AH =DTEh -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
