On Tue, Feb 14, 2017 at 2:42 PM, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote:
On 02/14/2017 05:16 AM, Sachin Gaikwad wrote:
Hi all,
I am running a daemon process (C++ program) on RHEL 6.6 with SELinux
enabled. This process eventually executes "rsync" to do file-copy
operation. It is failing with following error:
Do you have SELinux policy for that daemon?
---------------------------------/8</----------------------- ---------------------
rsync: change_dir "/home/foobar/source/" failed: Permission denied (13)
rsync: ERROR: cannot stat destination "/mnt/other_volume/testData":
Permission denied (13).
---------------------------------/8</----------------------- ---------------------
Question: Why is rsync failing with this error? I checked permissions of
"source" and "target" and both have permissions for the user.
Your daemon runs in some SELinux domain and this domain doesn't have access to /home/foobar/source and /mnt/other_volume/testData.
Could you reproduce the scenario and then attach output of:
# ausearch -m AVC -ts recent
Other testing data:
1) I tested this with "SELinux" disabled and rsync succeeds.
2) I tested this with "SELinux" enabled and launching process from
terminal. In this case "rsync" works fine. So, it looks like it is
something to do with "SELinux permissions" to process which do not have tty?
There is a difference between run daemon using "service" command and run it from terminal.
If you run it from terminal, in most cases daemon will inherit user SELinux domain, which is in "99%" unconfined_t domain. SELinux is not in game when you run it from terminal.
3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
works fine. I compared SELinux configuration of both these systems, but
couldn't find anything to reason it out. If you need, I can attach
SELinux configurations.
Okay, I would say issue will be in old policy from RHEL-6.6, but if you'll attach AVCs, we can create workaround for you.
Sorry for late response on this one. Here is the AVC output when rsync error happens:
bash # sudo ausearch -m USER_AVC,AVC,SELINUX_ERR --start recent
----
time->Thu Mar 23 06:18:00 2017
type=SYSCALL msg=audit(1490264280.713:582): arch=c000003e syscall=80
success=no exit=-13 a0=245a9d0 a1=1 a2=0 a3=383437432d363339 items=0
ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync"
exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null)
type=AVC msg=audit(1490264280.713:582): avc: denied { search } for
pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173
scontext=system_u:system_r:rsync_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
----
time->Thu Mar 23 06:18:00 2017
type=SYSCALL msg=audit(1490264280.714:583): arch=c000003e syscall=80
success=no exit=-13 a0=245a9b0 a1=1 a2=0 a3=ffffffff items=0 ppid=5306
pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync"
exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null)
type=AVC msg=audit(1490264280.714:583): avc: denied { search } for
pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173
scontext=system_u:system_r:rsync_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
----
time->Thu Mar 23 06:18:00 2017
type=SYSCALL msg=audit(1490264280.714:584): arch=c000003e syscall=4
success=no exit=-13 a0=2459360 a1=7fff5e86f6b0 a2=7fff5e86f6b0 a3=0
items=0 ppid=5308 pid=5309 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync"
exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null)
type=AVC msg=audit(1490264280.714:584): avc: denied { getattr } for
pid=5309 comm="rsync" path="/tmp/Recover_Files_03-24-2017_3-48pm"
dev=dm-0 ino=796146 scontext=system_u:system_r:rsync_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
Sachin
Thanks,
Lukas.
Thanks in advance,
Sachin
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxg
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxg
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx