Hello all, I'm having troubles invoking _any_ denial whatsoever for rsync related tasks, in order for me to demonstrate in my book how to then work around it. I've made a custom init script for rsync as there is no existing one in Fedora 11, so I labeled it initrc_exec_t so that the rsync daemon transitions to rsync_t: # ps -eZ | grep rsync unconfined_u:system_r:rsync_t:s0 326 ? 00:00:00 rsync According to the information I have, now that it's running as rsync_t, the following Booleans should have an effect: allow_rsync_anon_write No mattter the state of this Boolean, I can still write to public_content_rw_t files, locally or over the LAN. rsync_client I have very little information on this Boolean and what it actually implies, what it requires in terms of labels, etc. but no matter its state, rsync operates normally as a client reading and writing to a daemonized process on another machine. rsync_export_all_ro Perhaps I'm misinterpreting this one as well, but no matter its state, I can read _and_ write the test files in the directory specified by the rsync daemon, locally and over the network. Really, I'm probably misinterpreting these Booleans and their actual implications, or doing something completely wrong. I simply need a way that I can get SELinux to give me a denial related to rsync (running as a daemon) which I can then document and demonstrate the work-around for. My problem remains that everything works too _well_ and SELinux doesn't seem to be denying any of the access or transfers I'm performing, whatever the state of these Booleans, based on my limited understanding of them. Does anyone have a better understanding of these particular Booleans, what they actually imply, what labels the files need in order to be affected by them, any other condition they require to enforce upon the system...and mainly how I can intentionally invoke a denial based on one of them? Thanks in advance, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.