xinetd rsync --daemon problems
Chuck Anderson
cra at WPI.EDU
Thu Oct 11 22:01:25 UTC 2007
I'm using Fedora Core 6, and trying to start a rsync daemon via
xinetd. The default configuration is:
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
With this rsyncd.conf:
motd file = /etc/rsyncd.motd
pid file = /var/run/rsyncd.pid
port = 873
uid = rsyncd
gid = mirror
use chroot = yes
max connections = 10
log file = /var/log/rsyncd.log
read only = yes
hosts allow = 127.0.0.1, ::1, etc....
#hosts deny = 0.0.0.0/0, ::
ignore nonreadable = yes
transfer logging = yes
timeout = 600
dont compress = *
[fedora-linux-core]
path = /srv/ftp/pub/fedora/linux/core
comment = Fedora Linux Core
[fedora-linux-core-updates]
path = /srv/ftp/pub/fedora/linux/core/updates
comment = Fedora Linux Core Updates
[fedora-linux-extras]
path = /srv/ftp/pub/fedora/linux/extras
comment = Fedora Linux Extras
[fedora-linux-core-test]
path = /srv/ftp/pub/fedora/linux/core/test
comment = Fedora Linux Core Test
[fedora-linux-releases]
path = /srv/ftp/pub/fedora/linux/releases
comment = Fedora Linux Releases
[fedora-linux-development]
path = /srv/ftp/pub/fedora/linux/development
comment = Fedora Linux Development
[fedora-enchilada]
path = /srv/ftp/pub/fedora
comment = Fedora - The whole enchilada
[fedora-linux-updates]
path = /srv/ftp/pub/fedora/linux/updates
comment = Fedora Linux Updates
[fedora-web]
path = /srv/ftp/pub/fedora/web
comment = Web content for Fedora Linux mirrors
I get these AVCs when running from xinetd and making a client
connection that I don't get if I start the daemon directly via "rsync
--daemon" as root:
type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for
pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435
scontext=user_u:system_r:rsync_t:s0
tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221
success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0
ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync"
subj=user_u:system_r:rsync_t:s0 key=(null)
type=AVC_PATH msg=audit(1192132336.713:3464):
path="/var/run/rsyncd.lock"
type=AVC msg=audit(1192132400.044:3465): avc: denied { bind } for
pid=8499 comm="rsync" scontext=user_u:system_r:rsync_t:s0
tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1192132400.044:3465): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bf8f4674 a2=4df50ff4 a3=3 items=0
ppid=8167 pid=8499 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync"
subj=user_u:system_r:rsync_t:s0 key=(null)
I tried creating and loading a policy module:
# grep "rsync" /var/log/audit/audit.log | audit2allow -M rsyncd
# semodule -i rsyncd.pp
Here is rsyncd.te:
module rsyncd 1.0;
require {
type var_run_t;
type rsync_t;
class netlink_route_socket create;
class file { read write };
}
#============= rsync_t ==============
allow rsync_t self:netlink_route_socket create;
allow rsync_t var_run_t:file { read write };
But I still get these AVCs:
type=AVC msg=audit(1192139751.238:3586): avc: denied { bind } for
pid=9311 comm="rsync" scontext=user_u:system_r:rsync_t:s0
tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1192139751.238:3586): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bfbb6144 a2=4df50ff4 a3=3 items=0
ppid=8732 pid=9311 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync"
subj=user_u:system_r:rsync_t:s0 key=(null)
Additionally, when using xinetd I don't ever get any log messages in
/var/log/rsyncd.log like I do when I run "rsync --daemon" directly:
2007/10/11 17:08:01 [8613] rsyncd version 2.6.9 starting, listening on port 873
2007/10/11 17:08:13 [8616] connect from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15)
2007/10/11 17:08:13 [8616] rsync on fedora-enchilada/linux/ from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15)
2007/10/11 21:08:13 [8616] building file list
2007/10/11 21:08:13 [8616] sent 1629 bytes received 106 bytes total size 19
More information about the fedora-selinux-list
mailing list