1rsync_selinux(8) SELinux Policy rsync rsync_selinux(8)
2
3
4
6 rsync_selinux - Security Enhanced Linux Policy for the rsync processes
7
9 Security-Enhanced Linux secures the rsync processes via flexible manda‐
10 tory access control.
11
12 The rsync processes execute with the rsync_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep rsync_t
19
20
21
23 The rsync_t SELinux type can be entered via the rsync_exec_t file type.
24
25 The default entrypoint paths for the rsync_t domain are the following:
26
27 /usr/bin/rsync
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 rsync policy is very flexible allowing users to setup their rsync pro‐
37 cesses in as secure a method as possible.
38
39 The following process types are defined for rsync:
40
41 rsync_t
42
43 Note: semanage permissive -a rsync_t can be used to make the process
44 type rsync_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
48
50 SELinux policy is customizable based on least access required. rsync
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run rsync with the tightest access possible.
53
54
55
56 If you want to allow rsync to run as a client, you must turn on the
57 rsync_client boolean. Disabled by default.
58
59 setsebool -P rsync_client 1
60
61
62
63 If you want to allow rsync to export any files/directories read only,
64 you must turn on the rsync_export_all_ro boolean. Disabled by default.
65
66 setsebool -P rsync_export_all_ro 1
67
68
69
70 If you want to allow rsync server to manage all files/directories on
71 the system, you must turn on the rsync_full_access boolean. Disabled by
72 default.
73
74 setsebool -P rsync_full_access 1
75
76
77
78 If you want to allow users to resolve user passwd entries directly from
79 ldap rather then using a sssd server, you must turn on the authlo‐
80 gin_nsswitch_use_ldap boolean. Disabled by default.
81
82 setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85
86 If you want to deny any process from ptracing or debugging any other
87 processes, you must turn on the deny_ptrace boolean. Enabled by
88 default.
89
90 setsebool -P deny_ptrace 1
91
92
93
94 If you want to allow any process to mmap any file on system with
95 attribute file_type, you must turn on the domain_can_mmap_files bool‐
96 ean. Enabled by default.
97
98 setsebool -P domain_can_mmap_files 1
99
100
101
102 If you want to allow all domains write to kmsg_device, while kernel is
103 executed with systemd.log_target=kmsg parameter, you must turn on the
104 domain_can_write_kmsg boolean. Disabled by default.
105
106 setsebool -P domain_can_write_kmsg 1
107
108
109
110 If you want to allow all domains to use other domains file descriptors,
111 you must turn on the domain_fd_use boolean. Enabled by default.
112
113 setsebool -P domain_fd_use 1
114
115
116
117 If you want to allow all domains to have the kernel load modules, you
118 must turn on the domain_kernel_load_modules boolean. Disabled by
119 default.
120
121 setsebool -P domain_kernel_load_modules 1
122
123
124
125 If you want to allow all domains to execute in fips_mode, you must turn
126 on the fips_mode boolean. Enabled by default.
127
128 setsebool -P fips_mode 1
129
130
131
132 If you want to enable reading of urandom for all domains, you must turn
133 on the global_ssp boolean. Disabled by default.
134
135 setsebool -P global_ssp 1
136
137
138
139 If you want to allow confined applications to run with kerberos, you
140 must turn on the kerberos_enabled boolean. Enabled by default.
141
142 setsebool -P kerberos_enabled 1
143
144
145
146 If you want to allow system to run with NIS, you must turn on the
147 nis_enabled boolean. Disabled by default.
148
149 setsebool -P nis_enabled 1
150
151
152
153 If you want to allow confined applications to use nscd shared memory,
154 you must turn on the nscd_use_shm boolean. Disabled by default.
155
156 setsebool -P nscd_use_shm 1
157
158
159
160 If you want to support ecryptfs home directories, you must turn on the
161 use_ecryptfs_home_dirs boolean. Disabled by default.
162
163 setsebool -P use_ecryptfs_home_dirs 1
164
165
166
167 If you want to support fusefs home directories, you must turn on the
168 use_fusefs_home_dirs boolean. Disabled by default.
169
170 setsebool -P use_fusefs_home_dirs 1
171
172
173
174 If you want to support NFS home directories, you must turn on the
175 use_nfs_home_dirs boolean. Disabled by default.
176
177 setsebool -P use_nfs_home_dirs 1
178
179
180
181 If you want to support SAMBA home directories, you must turn on the
182 use_samba_home_dirs boolean. Disabled by default.
183
184 setsebool -P use_samba_home_dirs 1
185
186
187
189 SELinux defines port types to represent TCP and UDP ports.
190
191 You can see the types associated with a port by using the following
192 command:
193
194 semanage port -l
195
196
197 Policy governs the access confined processes have to these ports.
198 SELinux rsync policy is very flexible allowing users to setup their
199 rsync processes in as secure a method as possible.
200
201 The following port types are defined for rsync:
202
203
204 rsync_port_t
205
206
207
208 Default Defined Ports:
209 tcp 873
210 udp 873
211
213 The SELinux process type rsync_t can manage files labeled with the fol‐
214 lowing file types. The paths listed are the default paths for these
215 file types. Note the processes UID still need to have DAC permissions.
216
217 cifs_t
218
219
220 non_auth_file_type
221
222
223
225 SELinux requires files to have an extended attribute to define the file
226 type.
227
228 You can see the context of a file using the -Z option to ls
229
230 Policy governs the access confined processes have to these files.
231 SELinux rsync policy is very flexible allowing users to setup their
232 rsync processes in as secure a method as possible.
233
234 STANDARD FILE CONTEXT
235
236 SELinux defines the file context types for the rsync, if you wanted to
237 store files with these types in a diffent paths, you need to execute
238 the semanage command to sepecify alternate labeling and then use
239 restorecon to put the labels on disk.
240
241 semanage fcontext -a -t rsync_var_run_t '/srv/myrsync_content(/.*)?'
242 restorecon -R -v /srv/myrsync_content
243
244 Note: SELinux often uses regular expressions to specify labels that
245 match multiple files.
246
247 The following file types are defined for rsync:
248
249
250
251 rsync_data_t
252
253 - Set files with the rsync_data_t type, if you want to treat the files
254 as rsync content.
255
256
257
258 rsync_etc_t
259
260 - Set files with the rsync_etc_t type, if you want to store rsync files
261 in the /etc directories.
262
263
264
265 rsync_exec_t
266
267 - Set files with the rsync_exec_t type, if you want to transition an
268 executable to the rsync_t domain.
269
270
271
272 rsync_log_t
273
274 - Set files with the rsync_log_t type, if you want to treat the data as
275 rsync log data, usually stored under the /var/log directory.
276
277
278
279 rsync_tmp_t
280
281 - Set files with the rsync_tmp_t type, if you want to store rsync tem‐
282 porary files in the /tmp directories.
283
284
285
286 rsync_var_run_t
287
288 - Set files with the rsync_var_run_t type, if you want to store the
289 rsync files under the /run or /var/run directory.
290
291
292 Paths:
293 /var/run/rsyncd.lock, /var/run/swift_server.lock
294
295
296 Note: File context can be temporarily modified with the chcon command.
297 If you want to permanently change the file context you need to use the
298 semanage fcontext command. This will modify the SELinux labeling data‐
299 base. You will need to use restorecon to apply the labels.
300
301
303 If you want to share files with multiple domains (Apache, FTP, rsync,
304 Samba), you can set a file context of public_content_t and public_con‐
305 tent_rw_t. These context allow any of the above domains to read the
306 content. If you want a particular domain to write to the public_con‐
307 tent_rw_t domain, you must set the appropriate boolean.
308
309 Allow rsync servers to read the /var/rsync directory by adding the pub‐
310 lic_content_t file type to the directory and by restoring the file
311 type.
312
313 semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
314 restorecon -F -R -v /var/rsync
315
316 Allow rsync servers to read and write /var/rsync/incoming by adding the
317 public_content_rw_t type to the directory and by restoring the file
318 type. You also need to turn on the rsync_anon_write boolean.
319
320 semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?"
321 restorecon -F -R -v /var/rsync/incoming
322 setsebool -P rsync_anon_write 1
323
324
325 If you want to allow rsync to modify public files used for public file
326 transfer services. Files/Directories must be labeled public_con‐
327 tent_rw_t., you must turn on the rsync_anon_write boolean.
328
329 setsebool -P rsync_anon_write 1
330
331
333 semanage fcontext can also be used to manipulate default file context
334 mappings.
335
336 semanage permissive can also be used to manipulate whether or not a
337 process type is permissive.
338
339 semanage module can also be used to enable/disable/install/remove pol‐
340 icy modules.
341
342 semanage port can also be used to manipulate the port definitions
343
344 semanage boolean can also be used to manipulate the booleans
345
346
347 system-config-selinux is a GUI tool available to customize SELinux pol‐
348 icy settings.
349
350
352 This manual page was auto-generated using sepolicy manpage .
353
354
356 selinux(8), rsync(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
357 , setsebool(8)
358
359
360
361rsync 19-04-25 rsync_selinux(8)