running rsync as root to preserve contexts

Stephen Smalley sds at tycho.nsa.gov
Wed Jan 14 14:46:34 UTC 2009 

On Wed, 2009-01-14 at 11:44 +1000, Murray McAllister wrote:
> Hi,
> 
> I am not sure how rsync works, but should it have to be run as the root 
> user to preserve contexts?

Only if SELinux is disabled.  If SELinux is disabled, then you have to
be root or rather have CAP_SYS_ADMIN to set anything in the "security."
namespace.  If SELinux is enabled, then a process can set the
security.selinux attribute if it passes a set of SELinux permission
checks based on the SELinux contexts, independent of whether it is root.

I think perhaps the fundamental problem is that they are just trying to
use the generic xattr code rather than providing specific handling for
SELinux contexts using the libselinux interfaces, just as they provide
specific handling for ACLs using libacl.

> $ pwd
> /home/murray
> 
> $ mkdir other
> $ ls -dZ other/
> drwxrwxr-x  murray murray unconfined_u:object_r:user_home_t:s0 other/
> 
> $ touch file && chcon -t samba_share_t file
> $ ls -Z file
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> $ rsync -aXHv file other/
> sending incremental file list
> file
> 
> sent 122 bytes  received 31 bytes  102.00 bytes/sec
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:user_home_t:s0 file
> 
> # samba_share_t type was not preserved.
> 
> $ sudo rsync -aXHv file other/
> sending incremental file list
> 
> sent 128 bytes  received 17 bytes  290.00 bytes/sec
> 
> # running as sudo sends more bytes (previously 122).
> 
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> # samba_share_t type was preserved.
> 
> I am using:
> 
> rsync-3.0.4-0.fc10.i386
> openssh-askpass-5.1p1-3.fc10.i386
> openssh-5.1p1-3.fc10.i386
> openssh-clients-5.1p1-3.fc10.i386
> libssh2-0.18-7.fc9.i386
> openssh-server-5.1p1-3.fc10.i386
> 
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
> 
> Cheers.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list