I'm trying to use rysnc to back up some directories on a CentOS6 machine
that uses selinux in enforcing mode. Most files didn't transfer, so I tried
the example from rsync_selinux(8):
Allow rsync servers to read the /var/rsync directory by adding the pub-
lic_content_t file type to the directory and by restoring the file
type.
semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
restorecon -F -R -v /var/rsync
except I substituted /etc for /var/rsync.
Big mistake. Most or all services with config files under /etc could
no longer read their config files, including ssh. It looks like the selinux
type was substituted rather than added? Thankfully, I was able to recover.
What is the correct way to give rsync full access to everything under
selinux?
On 01/07/2013 03:59 AM, lhecking at users.sourceforge.net wrote:> Big mistake. Most or all services with config files under /etc could > no longer read their config files, including ssh. It looks like the selinux > type was substituted rather than added? Thankfully, I was able to recover.Yes, I believe that you added a new file context rule to the configuration, and that rule had precedence over the system policy. Files have just one context.> What is the correct way to give rsync full access to everything under > selinux?The easiest way is to use rsync over ssh, rather than rsync as a daemon. As long as you aren't running it as a daemon, I don't believe that it's confined. Also, run rsync with -v to get more information about what's being skipped and why, and run 'tail -f /var/log/audit/audit.log' while you rsync to make sure that there aren't AVCs logged. If there aren't AVCs, it's probably not an SELinux problem.
On Mon, January 7, 2013 06:59, lhecking at users.sourceforge.net wrote:> I'm trying to use rysnc to back up some directories on a CentOS6 > machine that uses selinux in enforcing mode. Most files didn't > transfer, so I tried the example from rsync_selinux(8): > > Allow rsync servers to read the /var/rsync directory by adding > the pub- > lic_content_t file type to the directory and by restoring > the file > type. > > semanage fcontext -a -t public_content_t "/var/rsync(/.*)?" > restorecon -F -R -v /var/rsync > > except I substituted /etc for /var/rsync. > > Big mistake. Most or all services with config files under /etc could > no longer read their config files, including ssh. It looks like the > selinux type was substituted rather than added? Thankfully, I was > able to recover. > > What is the correct way to give rsync full access to everything under > selinux? >I use rsync extensively to transfer entire systems from and to SElinux enforcing environments and have never had a problem with reads using rsync when logged on as the root user. My typical command line is some variation of the following: /usr/bin/rsync -avX --delete-after --specials --times \ --exclude-from=/root/rsync.d/exclude.list \ 192.168.216.29:/* /. Are you connecting as the root user? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3