On Mon, Apr 15, 2019 at 5:53 AM Bill shirley <bill@xxxxxxxxxxxxx> wrote: > I'm running rsync (over ssh) to backup files from servers with a > later release Fedora (24, 27, and 28) to my server which is Fedora > 22. I know I'm not telling you anything you don't already know, but: security updates have ceased for Fedora 27 and earlier. Fedora 22 hasn't received security updates since summer 2017. > Since this is strictly for backups, I would like to allow rsync to > set these unknown contexts. The AVC: > > type=AVC msg=audit(1555319931.042:30687): avc: denied { mac_admin } for pid=7061 comm="rsync" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 > > Running: > > grep rsync /var/log/audit/audit.log | audit2allow -m my_rsync > my_rsync.te > > generates: > module my_rsync 1.0; > require { > type unconfined_t; > class capability2 mac_admin; > } > #============= unconfined_t ============== > allow unconfined_t self:capability2 mac_admin; > > This should work however I don't want to grant this to any program > except rsync. I've looked the rsync booleans and tried "setsebool > -P rsync_client 1" but it doesn't fix it. Searched the interwebs > too. The problem you're running into is that you are executing an rsync server as a regular user (via an ssh login), instead of starting an rsync server via, say, systemd. By default, pam_selinux.so (which sshd calls) transitions all logins (via any mechanism, not just sshd) to unconfined_t: $ semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * By design, a process running in unconfined_t has very few state transitions that permit it to transition out of unconfined_t. > I don't want to grant this to any program except rsync That's not how SELinux works. A particular program can trigger a domain transition, but you don't grant capabilities to a program. You grant them to domains. Probably the simplest thing you could do here would be something like this: $ semanage login -a -s staff_u backup_account With this mapping place, logging in to the server as the backup_account user will result in the login session having the staff_u:staff_r:staff_t context, instead of the unconfined_u:unconfined_r:unconfined_t context. That way, you can use staff_t in your custom SELinux policy module (above), instead of unconfined_t. But beware: domains that are not unconfined_t are locked down much more heavily than unconfined_t is. You might find that while putting the account that is receiving the rsync-over-ssh into staff_t (or user_t) solves the immediate problem, it requires you to create all sorts of additional rules to permit the rsync server, running in staff_t or user_t, to do things that it could do without issue when it was running in the unconfined_t domain. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx