I'm trying to use rysnc to back up some directories on a CentOS6 machine that uses selinux in enforcing mode. Most files didn't transfer, so I tried the example from rsync_selinux(8):
Allow rsync servers to read the /var/rsync directory by adding the pub- lic_content_t file type to the directory and by restoring the file type.
semanage fcontext -a -t public_content_t "/var/rsync(/.*)?" restorecon -F -R -v /var/rsync
except I substituted /etc for /var/rsync.
Big mistake. Most or all services with config files under /etc could no longer read their config files, including ssh. It looks like the selinux type was substituted rather than added? Thankfully, I was able to recover.
What is the correct way to give rsync full access to everything under selinux?
On 01/07/2013 03:59 AM, lhecking@users.sourceforge.net wrote:
Big mistake. Most or all services with config files under /etc could no longer read their config files, including ssh. It looks like the selinux type was substituted rather than added? Thankfully, I was able to recover.
Yes, I believe that you added a new file context rule to the configuration, and that rule had precedence over the system policy. Files have just one context.
What is the correct way to give rsync full access to everything under selinux?
The easiest way is to use rsync over ssh, rather than rsync as a daemon. As long as you aren't running it as a daemon, I don't believe that it's confined.
Also, run rsync with -v to get more information about what's being skipped and why, and run 'tail -f /var/log/audit/audit.log' while you rsync to make sure that there aren't AVCs logged. If there aren't AVCs, it's probably not an SELinux problem.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/07/2013 08:26 AM, Gordon Messmer wrote:
On 01/07/2013 03:59 AM, lhecking@users.sourceforge.net wrote:
Big mistake. Most or all services with config files under /etc could no longer read their config files, including ssh. It looks like the selinux type was substituted rather than added? Thankfully, I was able to recover.
Yes, I believe that you added a new file context rule to the configuration, and that rule had precedence over the system policy. Files have just one context.
What is the correct way to give rsync full access to everything under selinux?
The easiest way is to use rsync over ssh, rather than rsync as a daemon. As long as you aren't running it as a daemon, I don't believe that it's confined.
Also, run rsync with -v to get more information about what's being skipped and why, and run 'tail -f /var/log/audit/audit.log' while you rsync to make sure that there aren't AVCs logged. If there aren't AVCs, it's probably not an SELinux problem. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I would try the booleans
getsebool -a | grep rsync
-
Daniel J Walsh -
Gordon Messmer -
lhecking@users.sourceforge.net