[Sisuite-devel] RHEL5 and SELinux

Wade Nelson Fri, 15 Jun 2007 11:56:21 -0700

I'm not sure why, but systemimager-server-rsyncd causes SELinux denials
when the client tries to retrieve files from the server, `rsync
--daemon` using same config run as root does not.


An example command to avoid such denials (on the server):
chcon -R -t rsync_data_t /usr/share/systemimager/boot/i386/standard/*


------------------------------------------------
Here are pre-chcon rsync issues using systemimager-server-rsyncd:
------------------------------------------------

[EMAIL PROTECTED] ~]# rsync -vn
systemimager.aero.und.edu::boot/
drwxr-xr-x        4096 2007/06/05 13:36:54 .
drwxr-xr-x        4096 2007/06/07 13:03:04 i386
 
sent 76 bytes  received 74 bytes  300.00 bytes/sec
total size is 0  speedup is 0.00
 
 
 
[EMAIL PROTECTED] ~]# rsync -vn
systemimager.aero.und.edu::boot/i386/
drwxr-xr-x        4096 2007/06/07 13:03:04 .
drwxr-xr-x        4096 2007/06/05 14:27:55 generic
drwxr-xr-x        4096 2007/06/07 13:03:04 labimage
drwxr-xr-x        4096 2007/06/05 13:53:35 newpenguin
drwxr-xr-x        4096 2007/06/07 12:24:32 standard
 
sent 81 bytes  received 133 bytes  428.00 bytes/sec
total size is 0  speedup is 0.00
 
 
 
[EMAIL PROTECTED] ~]# rsync -vn
systemimager.aero.und.edu::boot/i386/standard/
rsync: readlink "/i386/standard/kernel" (in boot) failed: Permission
denied (13)
rsync: readlink "/i386/standard/initrd.img" (in boot) failed: Permission
denied (13)
rsync: readlink "/i386/standard/config" (in boot) failed: Permission
denied (13)
rsync: readlink "/i386/standard/boel_binaries.tar.gz" (in boot) failed:
Permission denied (13)
drwxr-xr-x        4096 2007/06/07 12:24:32 .
 
sent 90 bytes  received 418 bytes  1016.00 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files could not be transferred (code 23) at
main.c(1298) [generator=2.6.8]
 
 
 
[EMAIL PROTECTED] ~]# rsync -vn
systemimager.aero.und.edu::boot/i386/standard/config
rsync: link_stat "/i386/standard/config" (in boot) failed: Permission
denied (13)
 
sent 4 bytes  received 9 bytes  26.00 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files could not be transferred (code 23) at
main.c(1298) [receiver=2.6.8]
 

---------------------------------------
on the server:
---------------------------------------
[EMAIL PROTECTED] ~]# ls -l /usr/share/systemimager/boot/i386/standard/
total 13628
-rw-r--r-- 1 root root 5510792 Mar 25 06:50 boel_binaries.tar.gz
-rw-r--r-- 1 root root   32102 Mar 25 06:50 config
-rw-r--r-- 1 root root 6185199 Mar 25 06:50 initrd.img
-rw-r--r-- 1 root root 2172329 Mar 25 06:50 kernel
 
 
 
[EMAIL PROTECTED] ~]# grep -B2 -A2 boot /etc/systemimager/rsyncd.conf
#hosts deny = 0.0.0.0/0
 
[boot]
path = /usr/share/systemimager/boot
#
# Never restrict the access of the [boot] module.
#
# hosts allow = 0.0.0.0/0


------------------------------------------------
Here is the SELinux denial report:
------------------------------------------------
Summary
    SELinux is preventing rsync (/usr/bin/rsync) "getattr" to
    /usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz
    (usr_t).
 
Detailed Description
    SELinux denied rsync access to
    /usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz. If
    this is
    a RSYNC repository it has to have a file context label of
    rsync_data_t. If
    you did not intend to use
    /usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz as a
    rsync
    repository it could indicate either a bug or it could signal a
    intrusion
    attempt.
 
Allowing Access
    You can alter the file context by executing chcon -R -t rsync_data_t
    /usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz
 
    The following command will allow this access:
    chcon -R -t rsync_data_t
    /usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz
 
Additional Information
 
Source Context                root:system_r:rsync_t
Target Context                system_u:object_r:usr_t
Target Objects               
/usr/share/systemimager/boot/i386/standard/boel_bi
                              naries.tar.gz [ file ]
Affected RPM Packages
Policy RPM
Selinux Enabled
Policy Type
MLS Enabled
Enforcing Mode
Plugin Name                   plugins.rsync_data
Host Name
Platform
Alert Count                   2
Line Numbers                  5544,5545,5546
 
Raw Audit Messages
 
avc: denied { getattr } for comm="rsync" dev=dm-0 egid=0 euid=0
exe="/usr/bin/rsync" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="boel_binaries.tar.gz"
path="/usr/share/systemimager/boot/i386/standard/boel_binaries.tar.gz"
pid=30664
scontext=root:system_r:rsync_t:s0 sgid=0 subj=root:system_r:rsync_t:s0
suid=0
tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0



----------------------
Wade Nelson
[EMAIL PROTECTED]


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
sisuite-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sisuite-devel

[Sisuite-devel] RHEL5 and SELinux

Reply via email to