On Mon, Apr 15, 2019 at 5:53 AM Bill shirley bill@bigcdrugs.biz wrote:
I'm running rsync (over ssh) to backup files from servers with a later release Fedora (24, 27, and 28) to my server which is Fedora 22.
I know I'm not telling you anything you don't already know, but: security updates have ceased for Fedora 27 and earlier. Fedora 22 hasn't received security updates since summer 2017.
Since this is strictly for backups, I would like to allow rsync to set these unknown contexts. The AVC:
type=AVC msg=audit(1555319931.042:30687): avc: denied { mac_admin } for pid=7061 comm="rsync" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Running:
grep rsync /var/log/audit/audit.log | audit2allow -m my_rsync > my_rsync.te
generates: module my_rsync 1.0; require { type unconfined_t; class capability2 mac_admin; } #============= unconfined_t ============== allow unconfined_t self:capability2 mac_admin;
This should work however I don't want to grant this to any program except rsync. I've looked the rsync booleans and tried "setsebool -P rsync_client 1" but it doesn't fix it. Searched the interwebs too.
The problem you're running into is that you are executing an rsync server as a regular user (via an ssh login), instead of starting an rsync server via, say, systemd.
By default, pam_selinux.so (which sshd calls) transitions all logins (via any mechanism, not just sshd) to unconfined_t:
$ semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
By design, a process running in unconfined_t has very few state transitions that permit it to transition out of unconfined_t.
I don't want to grant this to any program except rsync
That's not how SELinux works. A particular program can trigger a domain transition, but you don't grant capabilities to a program. You grant them to domains.
Probably the simplest thing you could do here would be something like this:
$ semanage login -a -s staff_u backup_account
With this mapping place, logging in to the server as the backup_account user will result in the login session having the staff_u:staff_r:staff_t context, instead of the unconfined_u:unconfined_r:unconfined_t context. That way, you can use staff_t in your custom SELinux policy module (above), instead of unconfined_t.
But beware: domains that are not unconfined_t are locked down much more heavily than unconfined_t is. You might find that while putting the account that is receiving the rsync-over-ssh into staff_t (or user_t) solves the immediate problem, it requires you to create all sorts of additional rules to permit the rsync server, running in staff_t or user_t, to do things that it could do without issue when it was running in the unconfined_t domain.