[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: running rsync as root to preserve contexts

From: Stephen Smalley <sds tycho nsa gov>
To: Murray McAllister <mmcallis redhat com>
Cc: fedora-selinux-list redhat com
Subject: Re: running rsync as root to preserve contexts
Date: Wed, 14 Jan 2009 09:46:34 -0500

On Wed, 2009-01-14 at 11:44 +1000, Murray McAllister wrote:
> Hi,
> 
> I am not sure how rsync works, but should it have to be run as the root 
> user to preserve contexts?

Only if SELinux is disabled.  If SELinux is disabled, then you have to
be root or rather have CAP_SYS_ADMIN to set anything in the "security."
namespace.  If SELinux is enabled, then a process can set the
security.selinux attribute if it passes a set of SELinux permission
checks based on the SELinux contexts, independent of whether it is root.

I think perhaps the fundamental problem is that they are just trying to
use the generic xattr code rather than providing specific handling for
SELinux contexts using the libselinux interfaces, just as they provide
specific handling for ACLs using libacl.

> $ pwd
> /home/murray
> 
> $ mkdir other
> $ ls -dZ other/
> drwxrwxr-x  murray murray unconfined_u:object_r:user_home_t:s0 other/
> 
> $ touch file && chcon -t samba_share_t file
> $ ls -Z file
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> $ rsync -aXHv file other/
> sending incremental file list
> file
> 
> sent 122 bytes  received 31 bytes  102.00 bytes/sec
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:user_home_t:s0 file
> 
> # samba_share_t type was not preserved.
> 
> $ sudo rsync -aXHv file other/
> sending incremental file list
> 
> sent 128 bytes  received 17 bytes  290.00 bytes/sec
> 
> # running as sudo sends more bytes (previously 122).
> 
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> # samba_share_t type was preserved.
> 
> I am using:
> 
> rsync-3.0.4-0.fc10.i386
> openssh-askpass-5.1p1-3.fc10.i386
> openssh-5.1p1-3.fc10.i386
> openssh-clients-5.1p1-3.fc10.i386
> libssh2-0.18-7.fc9.i386
> openssh-server-5.1p1-3.fc10.i386
> 
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
> 
> Cheers.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

References:
- running rsync as root to preserve contexts
  - From: Murray McAllister

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]