On 02/14/2017 05:16 AM, Sachin Gaikwad wrote:
Hi all, I am running a daemon process (C++ program) on RHEL 6.6 with SELinux enabled. This process eventually executes "rsync" to do file-copy operation. It is failing with following error:
Do you have SELinux policy for that daemon?
---------------------------------/8</-------------------------------------------- rsync: change_dir "/home/foobar/source/" failed: Permission denied (13) rsync: ERROR: cannot stat destination "/mnt/other_volume/testData": Permission denied (13). ---------------------------------/8</-------------------------------------------- Question: Why is rsync failing with this error? I checked permissions of "source" and "target" and both have permissions for the user.
Your daemon runs in some SELinux domain and this domain doesn't have access to /home/foobar/source and /mnt/other_volume/testData.
Could you reproduce the scenario and then attach output of: # ausearch -m AVC -ts recent
Other testing data: 1) I tested this with "SELinux" disabled and rsync succeeds. 2) I tested this with "SELinux" enabled and launching process from terminal. In this case "rsync" works fine. So, it looks like it is something to do with "SELinux permissions" to process which do not have tty?
There is a difference between run daemon using "service" command and run it from terminal.
If you run it from terminal, in most cases daemon will inherit user SELinux domain, which is in "99%" unconfined_t domain. SELinux is not in game when you run it from terminal.
3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync works fine. I compared SELinux configuration of both these systems, but couldn't find anything to reason it out. If you need, I can attach SELinux configurations.
Okay, I would say issue will be in old policy from RHEL-6.6, but if you'll attach AVCs, we can create workaround for you.
Thanks, Lukas.
Thanks in advance, Sachin _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
-- Lukas Vrabec SELinux Solutions Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
