Re: rsync: add mac_admin capability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 15, 2019 at 5:53 AM Bill shirley <bill@xxxxxxxxxxxxx> wrote:

> I'm running rsync (over ssh) to backup files from servers with a
> later release Fedora (24, 27, and 28) to my server which is Fedora
> 22.

I know I'm not telling you anything you don't already know, but:
security updates have ceased for Fedora 27 and earlier.  Fedora 22
hasn't received security updates since summer 2017.

> Since this is strictly for backups, I would like to allow rsync to
> set these unknown contexts.  The AVC:
>
> type=AVC msg=audit(1555319931.042:30687): avc:  denied  { mac_admin } for  pid=7061 comm="rsync" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
>
> Running:
>
> grep rsync /var/log/audit/audit.log | audit2allow -m my_rsync > my_rsync.te
>
> generates:
> module my_rsync 1.0;
> require {
>         type unconfined_t;
>         class capability2 mac_admin;
> }
> #============= unconfined_t ==============
> allow unconfined_t self:capability2 mac_admin;
>
> This should work however I don't want to grant this to any program
> except rsync.  I've looked the rsync booleans and tried "setsebool
> -P rsync_client 1" but it doesn't fix it.  Searched the interwebs
> too.

The problem you're running into is that you are executing an rsync
server as a regular user (via an ssh login), instead of starting an
rsync server via, say, systemd.

By default, pam_selinux.so (which sshd calls) transitions all logins
(via any mechanism, not just sshd) to unconfined_t:

$ semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

By design, a process running in unconfined_t has very few state
transitions that permit it to transition out of unconfined_t.

> I don't want to grant this to any program except rsync

That's not how SELinux works.  A particular program can trigger a
domain transition, but you don't grant capabilities to a program.  You
grant them to domains.

Probably the simplest thing you could do here would be something like
this:

$ semanage login -a -s staff_u backup_account

With this mapping place, logging in to the server as the
backup_account user will result in the login session having the
staff_u:staff_r:staff_t context, instead of the
unconfined_u:unconfined_r:unconfined_t context.  That way, you can use
staff_t in your custom SELinux policy module (above), instead of
unconfined_t.

But beware: domains that are not unconfined_t are locked down much
more heavily than unconfined_t is.  You might find that while putting
the account that is receiving the rsync-over-ssh into staff_t (or
user_t) solves the immediate problem, it requires you to create all
sorts of additional rules to permit the rsync server, running in
staff_t or user_t, to do things that it could do without issue when it
was running in the unconfined_t domain.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux