Centos – Diagnosing rsync error output

centosrsyncselinux

I have inherited a Centos 6.5 system which is outputting multiple lines of errors when running an rsync. The rsync is syncing to a locally attached drive mounted as /storage. The command is:

rsync -aAXv /* /storage/backup/ --exclude={/dev/*,/proc/*,/sys/*,/tmp/*,/run/*,/mnt/*,/media/*,/lost+found,/storage/*}

There are three different types of errors noted following # Error concern 1, # Error concern 2, # Error concern 3 in the output below:

rsync -aAXv /* /storage/backup/ --exclude={/dev/*,/proc/*,/sys/*,/tmp/*,/run/*,/mnt/*,/media/*,/lost+found,/storage/*}
sending incremental file list
etc/cron.d/
root/
root/.bash_history
root/.viminfo
selinux/booleans/abrt_anon_write
selinux/booleans/abrt_handle_event
selinux/booleans/allow_console_login

[...]

# Error concern 1: There are probably 80 or more of these mkstemp errors, but I've shortened it:

rsync: mkstemp "/storage/backup/selinux/class/x_pointer/perms/.setfocus.0C5BYW" failed: Permission denied (13)
rsync: mkstemp "/storage/backup/selinux/class/x_pointer/perms/.use.iRMquA" failed: Permission denied (13)
rsync: mkstemp "/storage/backup/selinux/class/x_pointer/perms/.write.rHXg0d" failed: Permission denied (13)
rsync: mkstemp "/storage/backup/selinux/class/x_property/.index.Zwc8vR" failed: Permission denied (13)
rsync: mkstemp "/storage/backup/selinux/class/x_property/perms/.append.tTK01u" failed: Permission denied (13)
rsync: mkstemp "/storage/backup/selinux/class/x_property/perms/.create.KGNUx8" failed: Permission denied (13)
rsync: mkstemp "/storage/backup/selinux/class/x_property/perms/.destroy.IiUP3L" failed: Permission denied (13)

[...]

# Error concern 2:

tmp/
rsync: rsync_xal_clear: lremovexattr("storage","security.selinux") failed: Permission denied (13)
var/cache/man/whatis    

[...]

# Error concern 3:

var/run/utmp
rsync: set_acl: sys_acl_set_file(var/run/cups/certs/0, ACL_TYPE_ACCESS): Operation not supported (95)
var/run/postgresql/.s.PGSQL.5432.lock

[...]

# Finishing output:

sent 4288406721 bytes  received 52199 bytes  86635533.74 bytes/sec
total size is 22337384552  speedup is 5.21
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1039) [sender=3.0.6]

Notes

The rsync seems to run normally until it hits a particular part of /selinux directory with hidden files. When SELinux is set to permissive, setenforce 0, these errors do not occur. Although # Error concern 2 and # Error concern 3 still occur.

The SELinux context of the /selinux directory and /storage directories is as follows:

drwxr-xr-x. root root system_u:object_r:security_t:s0  selinux
drwxr-xr-x. root root system_u:object_r:file_t:s0      storage
# /storage/backup directory
drwxr-xr-x. root root unconfined_u:object_r:public_content_t:s0 backup

So far for # Error concern 2 and # Error concern 3 I have no leads.

Please let me know if I'm missing anything. I am not as well acquainted with CentOS 6.5 as I am with 7 as I'm not aware why there is a /selinux directory off of /. I have a CentOS 7.2 server which is doing the same rsync to an attached storage drive without issues. Any help or suggestions would be greatly appreciated.

Update 1

I changed the SELinux context on /storage/backup to public_content_rw_t via:

semanage fcontext -a -t public_content_rw_t "/storage/backup(/.*)?"
restorecon -Rv /storage/backup

I'll run the rsync again soon and report if this has changed anything.

Update 2

I've ran the rsync again after with the new security context and I'm getting the same error results. I'm wondering if rsyncing the /selinux directory is really worth it since the system should have /etc/selinux backed up anyway which would have all of the contexts if the system needed to relabel itself. Can anyone chime in on this?

Update 3

I'm leaning on not backing up the /selinux directory. The sestatus shows these differences between CentOS 6.5 and CentOS 7.2:

CentOS 6.5
SELinux status:                    enabled
SELinuxfs mount:                   /selinux
Current mode:                      enforcing

CentOS 7.2
SELinux status:                    enabled
SELinuxfs mount:                   /sys/fs/selinux
SELinux root directory:            /etc/selinux
Loaded policy name:                targeted
Current mode:                      enforcing

From what I gather from this the /selinux directory is being used as a mounting point for the SElinux filesystem? I wonder if this is the cause of the errors.

Best Answer

The difference between /selinux and /etc/selinux (in RHEL/CentOS 6) is that the former is a "pseudo flesystem for exporting the security policy API" (remember that Mandatory Access Control is kernel-enforced); whereas the latter "contains configuration files which are local to the machine".

You should not include the /selinux (or any other) pseudo filesystem when syncing.

There's a good Q/A on Unix & Linux about this subject, with very useful linked documentation.

Related Solutions

Linux – rsync to remote server that does not have the same users setup as local server produces permission error

You may want to try --fake-super. From the rsync man page:

--fake-super

When this option is enabled, rsync simulates super-user activities by saving/restoring the privileged attributes via special extended attributes that are attached to each file (as needed). This includes the file's owner and group (if it is not the default), the file's device info (device & special files are created as empty text files), and any permission bits that we won't allow to be set on the real file (e.g. the real file gets u-s,g-s,o-t for safety) or that would limit the owner's access (since the real super-user can always access/change a file, the files we create can always be accessed/changed by the creating user).

In your case, since you want to use --fake-super on the remote side, you will need to invoke it via --rsync-path, e.g.:

rsync -avz --rsync-path='rsync --fake-super' /source/ backupuser@remote:/dest/

When restoring from your backups, you will also need to ensure that --fake-super is always in force on the system where the backups are stored.

Rsync: windows 7, synology: login error and permission denied error

RSync uses something call a 'module name' it's kind of like a 'share name' (for windows). The Synology's default 'module name' for RSync is NetBackup (I assume it's case sensitive). So if you change your command it should work:

From: c:\cygwin\bin\rsync -avz /cygdrive/e/Lisa/ Lisa@192.168.1.10:/volume1/homes/Lisa/Backup

To: c:\cygwin\bin\rsync -avz /cygdrive/e/Lisa/ rsync://Lisa@192.168.1.10:873/NetBackup/volume1/homes/Lisa/Backup (Pardon the Line Wrap, that should be all be one line, with no carriage return / Line Break)

The last part may work without explicitly specifying the protocol (rsync://), and port (:873), just make sure the 'module name' 'NetBackup/' precedes the path.

Additionally make sure that the 'user account' that you picked has full read / write permission on the 'NetBackup' share in the Synology via this link: http://www.synology.com/tutorials/how_to_backup_Linux_computer.php?lang=us

I saw something in the documentation stating to use either the 'admin' account, or the 'rsync' account. (I always use the 'admin' account). I don't know that other users will work (on older DSM 3.0 or less firmware, as there is nowhere to add user permissions for this). On the newer DSM 4.0+ firmware you have to specifically enable that user for 'Network Backup Privilege' via the above link. Another note about setting up RSync on the older DSM 3.0- firmware (Not for your problem, but it may help others).Is that the Procedure is: Click the Downward arrow (in the upper left) > Click 'Backup and Restore' > Check the 'Enable network backup service' box. Then use only 'admin', or 'rsync' as users for rsync.

This has some easy to read info on RSync / module name (Not specific to Synology): http://www.backupassist.com/education/articles/configuring-backupassist-for-rsync-without-ssh.html

You can actually create other 'module names' for the Synology by modifying the rsync config file on the Synology via ssh (not 100% sure about it's name, I assume it is rsyncd.conf)