Re: SELinux enabled + rsync + Permission denied (13)

Simon Sekidde <ssekidde@xxxxxxxxxx> · Fri, 24 Mar 2017 08:15:40 -0400 (EDT)



----- Original Message -----
> From: "Sachin Gaikwad" <sachin.kernel@xxxxxxxxx>
> To: "Lukas Vrabec" <lvrabec@xxxxxxxxxx>
> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Sent: Friday, March 24, 2017 6:31:45 AM
> Subject: Re: SELinux enabled + rsync + Permission denied (13)
> 
> 
> 
> On Tue, Feb 14, 2017 at 2:42 PM, Lukas Vrabec < lvrabec@xxxxxxxxxx > wrote:
> 
> 
> On 02/14/2017 05:16 AM, Sachin Gaikwad wrote:
> 
> 
> Hi all,
> 
> I am running a daemon process (C++ program) on RHEL 6.6 with SELinux
> enabled. This process eventually executes "rsync" to do file-copy
> operation. It is failing with following error:
> 
> 
> Do you have SELinux policy for that daemon?
> 
> 
> 
> 
> ---------------------------------/8</--------------------------------------------
> 
> rsync: change_dir "/home/foobar/source/" failed: Permission denied (13)
> rsync: ERROR: cannot stat destination "/mnt/other_volume/testData":
> Permission denied (13).
> 
> ---------------------------------/8</--------------------------------------------
> 
> Question: Why is rsync failing with this error? I checked permissions of
> "source" and "target" and both have permissions for the user.
> 

We have two rsync booleans that could take care of this 

rsync_export_all_ro - Allow rsync to export any files/directories read only 

or 

rsync_full_access  - Allow rsync server to manage all files/directories on the system


> 
> Your daemon runs in some SELinux domain and this domain doesn't have access
> to /home/foobar/source and /mnt/other_volume/testData.
> 
> Could you reproduce the scenario and then attach output of:
> # ausearch -m AVC -ts recent
> 
> 
> 
> 
> Other testing data:
> 
> 1) I tested this with "SELinux" disabled and rsync succeeds.
> 
> 2) I tested this with "SELinux" enabled and launching process from
> terminal. In this case "rsync" works fine. So, it looks like it is
> something to do with "SELinux permissions" to process which do not have tty?
> 
> 
> There is a difference between run daemon using "service" command and run it
> from terminal.
> 
> If you run it from terminal, in most cases daemon will inherit user SELinux
> domain, which is in "99%" unconfined_t domain. SELinux is not in game when
> you run it from terminal.
> 
> 
> 
> 3) On other system RHEL 6.8, SELinux enabled, process as daemon: rsync
> works fine. I compared SELinux configuration of both these systems, but
> couldn't find anything to reason it out. If you need, I can attach
> SELinux configurations.
> 
> 
> Okay, I would say issue will be in old policy from RHEL-6.6, but if you'll
> attach AVCs, we can create workaround for you.
> 
> 
> Sorry for late response on this one. Here is the AVC output when rsync error
> happens:
> 
> bash # sudo ausearch -m USER_AVC,AVC,SELINUX_ERR --start recent
> ----
> time->Thu Mar 23 06:18:00 2017
> type=SYSCALL msg=audit(1490264280.713:582): arch=c000003e syscall=80
> success=no exit=-13 a0=245a9d0 a1=1 a2=0 a3=383437432d363339 items=0
> ppid=5306 pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync"
> exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null)
> type=AVC msg=audit(1490264280.713:582): avc: denied { search } for
> pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173
> scontext=system_u:system_r:rsync_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> ----
> time->Thu Mar 23 06:18:00 2017
> type=SYSCALL msg=audit(1490264280.714:583): arch=c000003e syscall=80
> success=no exit=-13 a0=245a9b0 a1=1 a2=0 a3=ffffffff items=0 ppid=5306
> pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync"
> exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null)
> type=AVC msg=audit(1490264280.714:583): avc: denied { search } for
> pid=5308 comm="rsync" name="serviceuser" dev=dm-0 ino=796173
> scontext=system_u:system_r:rsync_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> ----
> time->Thu Mar 23 06:18:00 2017
> type=SYSCALL msg=audit(1490264280.714:584): arch=c000003e syscall=4
> success=no exit=-13 a0=2459360 a1=7fff5e86f6b0 a2=7fff5e86f6b0 a3=0
> items=0 ppid=5308 pid=5309 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync"
> exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0 key=(null)
> type=AVC msg=audit(1490264280.714:584): avc: denied { getattr } for
> pid=5309 comm="rsync" path="/tmp/Recover_Files_03-24-2017_3-48pm"
> dev=dm-0 ino=796146 scontext=system_u:system_r:rsync_t:s0
> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> 
> Sachin
> 
> 
> 
> 
> Thanks,
> Lukas.
> 
> 
> 
> Thanks in advance,
> 
> Sachin
> 
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 
> 
> 
> --
> Lukas Vrabec
> SELinux Solutions
> Red Hat, Inc.
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> 

-- 
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx