rsync
daemon to run normally on a non-standard port.
Getting rsync to launch as rsync_t
getenforce
to confirm SELinux is running in enforcing mode:
$ getenforce Enforcing
getenforce
command returns Enforcing
when SELinux is running in enforcing mode.
which
command to confirm that the rsync binary is in the system path:
$ which rsync /usr/bin/rsync
rsync
as a daemon, a configuration file should be used and saved as /etc/rsyncd.conf
. Note that the following configuration file used in this example is very simple and is not indicative of all the possible options that are available, rather it is just enough to demonstrate the rsync
daemon:
log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsync.lock [files] path = /srv/files comment = file area read only = false timeout = 300
rsync --daemon
is not sufficient for SELinux to offer its protection over rsync. Refer to the following output:
# rsync --daemon
# ps x | grep rsync
8231 ? Ss 0:00 rsync --daemon
8233 pts/3 S+ 0:00 grep rsync
# ps -eZ | grep rsync
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8231 ? 00:00:00 rsync
ps
command, the context shows the rsync
daemon running in the unconfined_t
domain. This indicates that rsync has not transitioned to the rsync_t
domain as it was launched by the rsync --daemon
command. At this point SELinux can not enforce its rules and policy over this daemon. Refer to the following steps to see how to fix this problem. In the following steps, rsync
will transition to the rsync_t
domain by launching it from a properly-labeled init script. Only then can SELinux and its protection mechanisms have an effect over rsync
. This rsync
process should be killed before proceeding to the next step.
/etc/rc.d/init.d/rsyncd
. The following steps show how to label this script as initrc_exec_t
:
semanage
command to add a context mapping for /etc/rc.d/init.d/rsyncd
:
semanage fcontext -a -t initrc_exec_t "/etc/rc.d/init.d/rsyncd"
/etc/selinux/targeted/contexts/files/file_contexts.local
file:
# grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local /etc/rc.d/init.d/rsyncd system_u:object_r:initrc_exec_t:s0
restorecon
command to apply this context mapping to the running system:
restorecon -R -v /etc/rc.d/init.d/rsyncd
ls
to confirm the script has been labeled appropriately. Note that in the following output the script has been labeled as initrc_exec_t
:
ls -lZ /etc/rc.d/init.d/rsyncd
-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/rsyncd
rsyncd
via the new script. Now that rsync has started from an init script that has been appropriately labeled, the process will start as rsync_t
:
# /etc/rc.d/init.d/rsync start
Starting rsyncd: [ OK ]
ps -eZ | grep rsync
unconfined_u:system_r:rsync_t:s0 9794 ? 00:00:00 rsync
SELinux can now enforce its protection mechanisms over the rsync
daemon as it is now runing in the rsync_t
domain.
rsyncd
running in the rsync_t
domain. The next example shows how to get this daemon successfully running on a non-default port. TCP port 10000 is used in the next example.
Running the rsync daemon on a non-default port
/etc/rsyncd.conf
file and add the port = 10000
line at the top of the file in the global configuration area (ie., before any file areas are defined). The new configuration file will look like:
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 10000
[files]
path = /srv/files
comment = file area
read only = false
timeout = 300
Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages. run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8
semanage
command to add TCP port 10000 to SELinux policy in rsync_port_t
:
# semanage port -a -t rsync_port_t -p tcp 10000
rsync_port_t
, rsyncd
will start and operate normally on this port:
# /etc/rc.d/init.d/rsync start Starting rsyncd: [ OK ]
# netstat -lnp | grep 10000
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 9910/rsync
rsyncd
to operate on TCP port 10000.