Re: SELinux in the way of automated rsync

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 01 August 2006 18:15, Paul Howarth wrote:
> J.L. Coenders wrote:
> > On Tuesday 01 August 2006 13:02, Paul Howarth wrote:
> >> J.L. Coenders wrote:
> >>> Hi,
> >>> I am trying to automate a backup with rsync to a second disc using a
> >>> cronjob. I am running fc5. The script works fine when I run it
> >>> manually, but if I try to run it as a cronjob it fails with a lot of
> >>> rsync errors. When looking at the system logs, I suspect that SELinux
> >>> is blocking rsync. How do I correct this?
> >>>
> >>> Messages are like this:
> >>>
> >>> Aug  1 09:09:43 localhost kernel: audit(1154416183.900:651): avc: 
> >>> denied { search } for  pid=19905 comm="rsync" name="/" dev=sda1 ino=2
> >>> scontext=system_u:system_r:rsync_t:s0
> >>> tcontext=system_u:object_r:default_t:s0 tclass=dir
> >>
> >> That may be a labelling problem on your system.
> >>
> >>> Could anyone show me to some easy to understand explanation of SELinux?
> >>> So far I only find quite complex ones.
> >>
> >> SELinux isn't simple, so you're unlikely to find a simple explanation
> >> for it.
> >>
> >> What is the top-level directory you are trying to copy using rsync?
> >>
> >> Paul.
> >
> > Hehehe, thanks, I already understood that it probably would not be
> > simple. One of the Linux magazines I consulted said something similar to
> > that too.
> >
> > I am trying to rsync my home, /etc and /var directory to a backup drive.
> > So that would be /home/user, /etc and /var.
>
> There's no way the standard SELinux policy is going to let you do that,
> as there are loads of "sensitive" files there that people shouldn't
> normally be able to access using the rsync service. Given the number of
> different file types involved, particularly for /etc and /var, it's not
> practical to change the rsync policy ro allow access to all of these files.
>
> One way to fix this would be to disable the transition to the rsync_t
> domain, so that rsync ran "unconfined" by SELinux when run from cron,
> just as it does when run manually.
>
> That's a bit of a sledgehammer approach though. Can you tell us exactly
> how you are trying to do this? rsync command directly in crontab file?
> Are you running rsync locally or over the network? Are you using a
> wrapper script?
>
> And can you post the output of: "sestatus"
>
> Paul.

Btw, if anyone of you has another way of doing this, I am very willing to 
explore the options.

Thanks,
Jeroen

Attachment: pgp3O10JrV7L7.pgp
Description: PGP signature


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux