I've set up a Debian machine with SElinux and except rsync from a remote machine everything works fine. I already created some module with additional rights using audit2allow, and now all errors in the audit log are gone. When I try to rsync to the machine, but unfortunately, the connection is still not allowed. Setting selinux to permissive, everything works as expected.
I'm not running rsync as a daemon, which generally seems to cause more problems according to problem reports in the net. rsync is simply in default Debian 7 configuration.
The remote rsync fails with this message:
user1@othermachine:~$ rsync -vv servermachine:/home/user1/some/file .
opening connection using: ssh servermachine rsync --server --sender -vve.Lsf . /home/user1/some/file
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(605) [Receiver=3.0.9]
This is how the rights for rsync look like:
root@host:~# ls -Z /usr/bin/rsync
system_u:object_r:rsync_exec_t:SystemLow /usr/bin/rsync
When I run remote rsync and the server in permissive mode, I see the process as following:
root@host:~# ps aux|grep rsync
user1 22948 1.0 0.0 26680 5156 ? Ds 11:08 0:00 rsync --server --sender -vlogDtpre.iLsf . /home/user1/some/file
root 22954 0.0 0.0 11292 924 pts/0 S+ 11:09 0:00 grep rsync
root@host:~# ps -eZ | grep rsync
unconfined_u:system_r:rsync_t:s0-s0:c0.c1023 22948 ? 00:00:00 rsync
scp for example works without problems with the same file. The additional rights, that I already gave to rsync, look like the following. I'm not sure if they're too generous or something, but they at least fixed the issues appearing in audit.log.
allow rsync_t user_home_t:file { read write getattr open };
allow rsync_t sshd_t:fifo_file { write read };
allow setfiles_t device_t:filesystem getattr;
allow setfiles_t devpts_t:filesystem getattr;
allow setfiles_t tmpfs_t:filesystem getattr;
allow setfiles_t sysfs_t:filesystem getattr;
So, what troubles me most, is that I don't see any AVC entries, but it's still not working. Is there anything, to increase verbosity? How is it possible, that some rights are not granted, but that there is no AVC entry? Secondly, I'm a bit surprised, that I couldn't find any reference to the problem on the net, only issues with selinux/rsync running as a daemon. But I also wouldn't know, what's that special about my configuration. So any further ideas about diagnostics on that would be welcome!
Best Answer
I ran into a similar problem with SELinux and MySQL. Running 'semodule -B -D' reset things to where I could see the remaining audit issues.
Original question is here.