"Daniel J Walsh wrote:" > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/21/2013 12:49 PM, David Highley wrote: > > "Daniel J Walsh wrote:" > >> > > On 01/18/2013 09:29 PM, David Highley wrote: > >>>> "David Highley wrote:" > >>>>> > >>>>> "Daniel J Walsh wrote:" > >>>>>> > >>>> On 01/18/2013 09:20 AM, David Highley wrote: > >>>>>>>> Upgraded a test box to Fedora 18 and have tried to get rsync > >>>>>>>> backups to it working. Looked at many discussions about > >>>>>>>> backing up in a selinux environment and all discussions > >>>>>>>> seemed to be incomplete. > >>>>>>>> > >>>>>>>> Most indicate you should not keep selinux labels, but none of > >>>>>>>> those discussion indicate what options to change. After > >>>>>>>> working on a thousand line policy file I'm beginning to think > >>>>>>>> you just want to completely turn off any audit of the rsync > >>>>>>>> domain. > >>>>>>>> > >>>>>>>> Is this how we should approach backups? If you do not > >>>>>>>> preserve selinux labels what should the backup location get > >>>>>>>> labeled to? > >>>>>>>> > >>>>>>>> I'm surprised as long as selinux has been in use that a > >>>>>>>> template with details has not been defined for this. By the > >>>>>>>> way I had just submitted an enhancement bug report for rsync > >>>>>>>> with examples of getting it to function with systemd control. > >>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >>>>>>>> > >>>> Does this help? > >>>> > >>>> http://danwalsh.livejournal.com/61646.html > >>>>>> > >>>>>> I had found and read this information, but was not sure from it > >>>>>> and the other discussions that it was the right direction and if > >>>>>> the right direction that it had complete information for doing > >>>>>> the implementation. > >>>>>> > >>>>>> Has anyone tried this and has it worked out? Do you define the > >>>>>> backup area as unconfined_u and relabel everything to that? > >>>>>> > >>>> > >>>>> OK, making rsync_t and unconfined domain gets rid of the AVCs. I > >>>>> still have concerns that it is just opening up a bad whole in the > >>>>> system. Is there a way of scoping it to only the back up area and > >>>>> or maybe forcing what ever is copied to a benign state by labeling > >>>>> it to something safe? > >>>> > >>>>>> > >>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >>>>> > >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > >>>> > > > > Well rsync_t policy if for running rsync as a daemon not as a client. > > > > /usr/lib/systemd/system/rsyncd.service > > > > I just checked a fix into the policy so that only rsynd when run as a > > service will transition to rsync_t. But if you run it from a script or an > > application running as initrc_t, it will stay as the current domain. > > > >> Thanks, will check again when it is available. We are using rsync as > >> daemon spond by systemd. > > > > > > If you are only running rsync as a client, adding > > unconfined_domain(rsync_t) will not give it more privs that initrc_t > > already has. > >> > > > > > > Ok then that is different, what is broken for you? Without the > unconfined_domain(rsync_t)? > > Sorry for the confusion. OK, maybe the issue of confusion is what is the client and what is the server in the process. We have systems that we back up to, servers. They run rsyncd via systemd port activation requests. We have clients that run cron jobs to push back ups to one or more backup systems. What we see with Fedora 18 selinux on the backup servers block everything. When I mean everything it seems to block almost all operations from getattr to relabel to unlink, name it, it is blocked. This pretty much just worked for Fedora 16 and 17. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlD9pXwACgkQrlYvE4MpobMh+ACfSzBvxAmr4/YGBIalRhDZb4PG > 4AIAoLKpOti8B+xESEQk8Y5THXHzy0AH > =DTEh > -----END PGP SIGNATURE----- > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
