1rsync_selinux(8) SELinux Policy rsync rsync_selinux(8)
2
3
4
6 rsync_selinux - Security Enhanced Linux Policy for the rsync processes
7
9 Security-Enhanced Linux secures the rsync processes via flexible manda‐
10 tory access control.
11
12 The rsync processes execute with the rsync_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep rsync_t
19
20
21
23 The rsync_t SELinux type can be entered via the rsync_exec_t file type.
24
25 The default entrypoint paths for the rsync_t domain are the following:
26
27 /usr/bin/rsync
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 rsync policy is very flexible allowing users to setup their rsync pro‐
37 cesses in as secure a method as possible.
38
39 The following process types are defined for rsync:
40
41 rsync_t
42
43 Note: semanage permissive -a rsync_t can be used to make the process
44 type rsync_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
48
50 SELinux policy is customizable based on least access required. rsync
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run rsync with the tightest access possible.
53
54
55
56 If you want to allow rsync to run as a client, you must turn on the
57 rsync_client boolean. Disabled by default.
58
59 setsebool -P rsync_client 1
60
61
62
63 If you want to allow rsync to export any files/directories read only,
64 you must turn on the rsync_export_all_ro boolean. Disabled by default.
65
66 setsebool -P rsync_export_all_ro 1
67
68
69
70 If you want to allow rsync server to manage all files/directories on
71 the system, you must turn on the rsync_full_access boolean. Disabled by
72 default.
73
74 setsebool -P rsync_full_access 1
75
76
77
78 If you want to allow users to resolve user passwd entries directly from
79 ldap rather then using a sssd server, you must turn on the authlo‐
80 gin_nsswitch_use_ldap boolean. Disabled by default.
81
82 setsebool -P authlogin_nsswitch_use_ldap 1
83
84
85
86 If you want to allow all domains to execute in fips_mode, you must turn
87 on the fips_mode boolean. Enabled by default.
88
89 setsebool -P fips_mode 1
90
91
92
93 If you want to allow confined applications to run with kerberos, you
94 must turn on the kerberos_enabled boolean. Disabled by default.
95
96 setsebool -P kerberos_enabled 1
97
98
99
100 If you want to allow system to run with NIS, you must turn on the
101 nis_enabled boolean. Disabled by default.
102
103 setsebool -P nis_enabled 1
104
105
106
107 If you want to allow confined applications to use nscd shared memory,
108 you must turn on the nscd_use_shm boolean. Disabled by default.
109
110 setsebool -P nscd_use_shm 1
111
112
113
115 SELinux defines port types to represent TCP and UDP ports.
116
117 You can see the types associated with a port by using the following
118 command:
119
120 semanage port -l
121
122
123 Policy governs the access confined processes have to these ports.
124 SELinux rsync policy is very flexible allowing users to setup their
125 rsync processes in as secure a method as possible.
126
127 The following port types are defined for rsync:
128
129
130 rsync_port_t
131
132
133
134 Default Defined Ports:
135 tcp 873
136 udp 873
137
139 The SELinux process type rsync_t can manage files labeled with the fol‐
140 lowing file types. The paths listed are the default paths for these
141 file types. Note the processes UID still need to have DAC permissions.
142
143 cifs_t
144
145
146 cluster_conf_t
147
148 /etc/cluster(/.*)?
149
150 cluster_var_lib_t
151
152 /var/lib/pcsd(/.*)?
153 /var/lib/cluster(/.*)?
154 /var/lib/openais(/.*)?
155 /var/lib/pengine(/.*)?
156 /var/lib/corosync(/.*)?
157 /usr/lib/heartbeat(/.*)?
158 /var/lib/heartbeat(/.*)?
159 /var/lib/pacemaker(/.*)?
160
161 cluster_var_run_t
162
163 /var/run/crm(/.*)?
164 /var/run/cman_.*
165 /var/run/rsctmp(/.*)?
166 /var/run/aisexec.*
167 /var/run/heartbeat(/.*)?
168 /var/run/corosync-qnetd(/.*)?
169 /var/run/corosync-qdevice(/.*)?
170 /var/run/corosync.pid
171 /var/run/cpglockd.pid
172 /var/run/rgmanager.pid
173 /var/run/cluster/rgmanager.sk
174
175 ecryptfs_t
176
177 /home/[^/]+/.Private(/.*)?
178 /home/[^/]+/.ecryptfs(/.*)?
179
180 fusefs_t
181
182 /var/run/user/[^/]*/gvfs
183
184 modules_object_t
185
186 /lib/modules(/.*)?
187 /usr/lib/modules(/.*)?
188
189 nfs_t
190
191
192 non_auth_file_type
193
194
195 public_content_rw_t
196
197 /var/spool/abrt-upload(/.*)?
198
199 root_t
200
201 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
202 /
203 /initrd
204
205 rsync_data_t
206
207
208 rsync_log_t
209
210 /var/log/rsync.*
211
212 rsync_tmp_t
213
214
215 rsync_var_run_t
216
217 /var/run/rsyncd.lock
218 /var/run/swift_server.lock
219
220 semanage_store_t
221
222 /etc/selinux/([^/]*/)?policy(/.*)?
223 /etc/selinux/(minimum|mls|targeted)/active(/.*)?
224 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
225 /var/lib/selinux(/.*)?
226 /etc/share/selinux/mls(/.*)?
227 /etc/share/selinux/targeted(/.*)?
228
229 swift_data_t
230
231 /srv/node(/.*)?
232 /var/lib/swift(/.*)?
233 /srv/loopback-device(/.*)?
234
235 swift_lock_t
236
237 /var/lock/swift.*
238
239
241 SELinux requires files to have an extended attribute to define the file
242 type.
243
244 You can see the context of a file using the -Z option to ls
245
246 Policy governs the access confined processes have to these files.
247 SELinux rsync policy is very flexible allowing users to setup their
248 rsync processes in as secure a method as possible.
249
250 STANDARD FILE CONTEXT
251
252 SELinux defines the file context types for the rsync, if you wanted to
253 store files with these types in a diffent paths, you need to execute
254 the semanage command to sepecify alternate labeling and then use
255 restorecon to put the labels on disk.
256
257 semanage fcontext -a -t rsync_var_run_t '/srv/myrsync_content(/.*)?'
258 restorecon -R -v /srv/myrsync_content
259
260 Note: SELinux often uses regular expressions to specify labels that
261 match multiple files.
262
263 The following file types are defined for rsync:
264
265
266
267 rsync_data_t
268
269 - Set files with the rsync_data_t type, if you want to treat the files
270 as rsync content.
271
272
273
274 rsync_etc_t
275
276 - Set files with the rsync_etc_t type, if you want to store rsync files
277 in the /etc directories.
278
279
280
281 rsync_exec_t
282
283 - Set files with the rsync_exec_t type, if you want to transition an
284 executable to the rsync_t domain.
285
286
287
288 rsync_log_t
289
290 - Set files with the rsync_log_t type, if you want to treat the data as
291 rsync log data, usually stored under the /var/log directory.
292
293
294
295 rsync_tmp_t
296
297 - Set files with the rsync_tmp_t type, if you want to store rsync tem‐
298 porary files in the /tmp directories.
299
300
301
302 rsync_var_run_t
303
304 - Set files with the rsync_var_run_t type, if you want to store the
305 rsync files under the /run or /var/run directory.
306
307
308 Paths:
309 /var/run/rsyncd.lock, /var/run/swift_server.lock
310
311
312 Note: File context can be temporarily modified with the chcon command.
313 If you want to permanently change the file context you need to use the
314 semanage fcontext command. This will modify the SELinux labeling data‐
315 base. You will need to use restorecon to apply the labels.
316
317
319 If you want to share files with multiple domains (Apache, FTP, rsync,
320 Samba), you can set a file context of public_content_t and public_con‐
321 tent_rw_t. These context allow any of the above domains to read the
322 content. If you want a particular domain to write to the public_con‐
323 tent_rw_t domain, you must set the appropriate boolean.
324
325 Allow rsync servers to read the /var/rsync directory by adding the pub‐
326 lic_content_t file type to the directory and by restoring the file
327 type.
328
329 semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
330 restorecon -F -R -v /var/rsync
331
332 Allow rsync servers to read and write /var/rsync/incoming by adding the
333 public_content_rw_t type to the directory and by restoring the file
334 type. You also need to turn on the rsync_anon_write boolean.
335
336 semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?"
337 restorecon -F -R -v /var/rsync/incoming
338 setsebool -P rsync_anon_write 1
339
340
341 If you want to allow rsync to modify public files used for public file
342 transfer services. Files/Directories must be labeled public_con‐
343 tent_rw_t., you must turn on the rsync_anon_write boolean.
344
345 setsebool -P rsync_anon_write 1
346
347
349 semanage fcontext can also be used to manipulate default file context
350 mappings.
351
352 semanage permissive can also be used to manipulate whether or not a
353 process type is permissive.
354
355 semanage module can also be used to enable/disable/install/remove pol‐
356 icy modules.
357
358 semanage port can also be used to manipulate the port definitions
359
360 semanage boolean can also be used to manipulate the booleans
361
362
363 system-config-selinux is a GUI tool available to customize SELinux pol‐
364 icy settings.
365
366
368 This manual page was auto-generated using sepolicy manpage .
369
370
372 selinux(8), rsync(8), semanage(8), restorecon(8), chcon(1), sepol‐
373 icy(8), setsebool(8)
374
375
376
377rsync 19-12-02 rsync_selinux(8)