SELinux in the way of automated rsync

Tue Aug 1 20:22:44 UTC 2006

On Tue, 2006-08-01 at 19:30 +0200, J.L. Coenders wrote:
> On Tuesday 01 August 2006 18:15, Paul Howarth wrote:
> > J.L. Coenders wrote:
> > > On Tuesday 01 August 2006 13:02, Paul Howarth wrote:
> > >> J.L. Coenders wrote:
> > >>> Hi,
> > >>> I am trying to automate a backup with rsync to a second disc using a
> > >>> cronjob. I am running fc5. The script works fine when I run it
> > >>> manually, but if I try to run it as a cronjob it fails with a lot of
> > >>> rsync errors. When looking at the system logs, I suspect that SELinux
> > >>> is blocking rsync. How do I correct this?
> > >>>
> > >>> Messages are like this:
> > >>>
> > >>> Aug  1 09:09:43 localhost kernel: audit(1154416183.900:651): avc: 
> > >>> denied { search } for  pid=19905 comm="rsync" name="/" dev=sda1 ino=2
> > >>> scontext=system_u:system_r:rsync_t:s0
> > >>> tcontext=system_u:object_r:default_t:s0 tclass=dir
> > >>
> > >> That may be a labelling problem on your system.
> > >>
> > >>> Could anyone show me to some easy to understand explanation of SELinux?
> > >>> So far I only find quite complex ones.
> > >>
> > >> SELinux isn't simple, so you're unlikely to find a simple explanation
> > >> for it.
> > >>
> > >> What is the top-level directory you are trying to copy using rsync?
> > >>
> > >> Paul.
> > >
> > > Hehehe, thanks, I already understood that it probably would not be
> > > simple. One of the Linux magazines I consulted said something similar to
> > > that too.
> > >
> > > I am trying to rsync my home, /etc and /var directory to a backup drive.
> > > So that would be /home/user, /etc and /var.
> >
> > There's no way the standard SELinux policy is going to let you do that,
> > as there are loads of "sensitive" files there that people shouldn't
> > normally be able to access using the rsync service. Given the number of
> > different file types involved, particularly for /etc and /var, it's not
> > practical to change the rsync policy ro allow access to all of these files.
> >
> > One way to fix this would be to disable the transition to the rsync_t
> > domain, so that rsync ran "unconfined" by SELinux when run from cron,
> > just as it does when run manually.
> >
> > That's a bit of a sledgehammer approach though. Can you tell us exactly
> > how you are trying to do this? rsync command directly in crontab file?
> > Are you running rsync locally or over the network? Are you using a
> > wrapper script?
> >
> > And can you post the output of: "sestatus"
> >
> > Paul.
> 
> Hi,
> The thing I would like to do, is make a nightly backup of these directories. I 
> have made a script for it (attached), which I run using cron, basically 
> rsyncing the directories to a backup disk (usb).
> Probably it is not the most beautiful script, but it ran quite nicely before. 
> If anyone would like to use it, feel free.
> 
> [sestatus output]
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 20
> Policy from config file:        targeted

The script looks fine to me. I'm a bit surprised it's running in the
"rsync_t" domain though, as cron jobs here seem to run "unconfined" as
if you'd just run them manually.

Where is the script installed?

Can you post the output of:

$ ls -lZ /path/to/script

Oh, and one last thing:

# ls -lZa /
# restorecon -v /
# ls -lZa /

What do you get for those? If the second "ls" output is different from
the first, try the cron job again and see if you get different results.

Paul.