1rsync_selinux(8)             SELinux Policy rsync             rsync_selinux(8)
2
3
4

NAME

6       rsync_selinux - Security Enhanced Linux Policy for the rsync processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the rsync processes via flexible manda‐
10       tory access control.
11
12       The rsync processes execute with the  rsync_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep rsync_t
19
20
21

ENTRYPOINTS

23       The rsync_t SELinux type can be entered via the rsync_exec_t file type.
24
25       The default entrypoint paths for the rsync_t domain are the following:
26
27       /usr/bin/rsync
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       rsync policy is very flexible allowing users to setup their rsync  pro‐
37       cesses in as secure a method as possible.
38
39       The following process types are defined for rsync:
40
41       rsync_t
42
43       Note:  semanage  permissive  -a rsync_t can be used to make the process
44       type rsync_t permissive. SELinux does not  deny  access  to  permissive
45       process  types, but the AVC (SELinux denials) messages are still gener‐
46       ated.
47
48

BOOLEANS

50       SELinux policy is customizable based on least access  required.   rsync
51       policy is extremely flexible and has several booleans that allow you to
52       manipulate the policy and run rsync with the tightest access possible.
53
54
55
56       If you want to allow rsync to run as a client, you  must  turn  on  the
57       rsync_client boolean. Disabled by default.
58
59       setsebool -P rsync_client 1
60
61
62
63       If  you  want to allow rsync to export any files/directories read only,
64       you must turn on the rsync_export_all_ro boolean. Disabled by default.
65
66       setsebool -P rsync_export_all_ro 1
67
68
69
70       If you want to allow rsync server to manage  all  files/directories  on
71       the system, you must turn on the rsync_full_access boolean. Disabled by
72       default.
73
74       setsebool -P rsync_full_access 1
75
76
77
78       If you want to allow rsync sys_admin capability. This capability is re‐
79       quired to restore files with extended attributes in the "trusted" name‐
80       space, you must turn on the rsync_sys_admin boolean.  Disabled  by  de‐
81       fault.
82
83       setsebool -P rsync_sys_admin 1
84
85
86
87       If you want to allow all domains to execute in fips_mode, you must turn
88       on the fips_mode boolean. Enabled by default.
89
90       setsebool -P fips_mode 1
91
92
93

PORT TYPES

95       SELinux defines port types to represent TCP and UDP ports.
96
97       You can see the types associated with a port  by  using  the  following
98       command:
99
100       semanage port -l
101
102
103       Policy  governs  the  access  confined  processes  have to these ports.
104       SELinux rsync policy is very flexible allowing  users  to  setup  their
105       rsync processes in as secure a method as possible.
106
107       The following port types are defined for rsync:
108
109
110       rsync_port_t
111
112
113
114       Default Defined Ports:
115                 tcp 873
116                 udp 873
117

MANAGED FILES

119       The SELinux process type rsync_t can manage files labeled with the fol‐
120       lowing file types.  The paths listed are the default  paths  for  these
121       file types.  Note the processes UID still need to have DAC permissions.
122
123       cifs_t
124
125
126       cluster_conf_t
127
128            /etc/cluster(/.*)?
129
130       cluster_var_lib_t
131
132            /var/lib/pcsd(/.*)?
133            /var/lib/cluster(/.*)?
134            /var/lib/openais(/.*)?
135            /var/lib/pengine(/.*)?
136            /var/lib/corosync(/.*)?
137            /usr/lib/heartbeat(/.*)?
138            /var/lib/heartbeat(/.*)?
139            /var/lib/pacemaker(/.*)?
140
141       cluster_var_run_t
142
143            /var/run/crm(/.*)?
144            /var/run/cman_.*
145            /var/run/rsctmp(/.*)?
146            /var/run/aisexec.*
147            /var/run/heartbeat(/.*)?
148            /var/run/pcsd-ruby.socket
149            /var/run/corosync-qnetd(/.*)?
150            /var/run/corosync-qdevice(/.*)?
151            /var/run/corosync.pid
152            /var/run/cpglockd.pid
153            /var/run/rgmanager.pid
154            /var/run/cluster/rgmanager.sk
155
156       ecryptfs_t
157
158            /home/[^/]+/.Private(/.*)?
159            /home/[^/]+/.ecryptfs(/.*)?
160
161       fusefs_t
162
163            /var/run/user/[0-9]+/gvfs
164
165       krb5_host_rcache_t
166
167            /var/tmp/krb5_0.rcache2
168            /var/cache/krb5rcache(/.*)?
169            /var/tmp/nfs_0
170            /var/tmp/DNS_25
171            /var/tmp/host_0
172            /var/tmp/imap_0
173            /var/tmp/HTTP_23
174            /var/tmp/HTTP_48
175            /var/tmp/ldap_55
176            /var/tmp/ldap_487
177            /var/tmp/ldapmap1_0
178
179       nfs_t
180
181
182       non_auth_file_type
183
184
185       root_t
186
187            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
188            /
189            /initrd
190
191       rsync_log_t
192
193            /var/log/rsync.*
194
195       rsync_tmp_t
196
197
198       rsync_var_run_t
199
200            /var/run/rsyncd.lock
201            /var/run/swift_server.lock
202
203       swift_data_t
204
205            /srv/node(/.*)?
206            /var/lib/swift(/.*)?
207            /srv/loopback-device(/.*)?
208
209       swift_lock_t
210
211            /var/lock/swift.*
212
213

FILE CONTEXTS

215       SELinux requires files to have an extended attribute to define the file
216       type.
217
218       You can see the context of a file using the -Z option to ls
219
220       Policy governs the access  confined  processes  have  to  these  files.
221       SELinux  rsync  policy  is  very flexible allowing users to setup their
222       rsync processes in as secure a method as possible.
223
224       STANDARD FILE CONTEXT
225
226       SELinux defines the file context types for the rsync, if you wanted  to
227       store  files  with  these types in a diffent paths, you need to execute
228       the semanage command to specify alternate labeling  and  then  use  re‐
229       storecon to put the labels on disk.
230
231       semanage fcontext -a -t rsync_var_run_t '/srv/myrsync_content(/.*)?'
232       restorecon -R -v /srv/myrsync_content
233
234       Note:  SELinux  often  uses  regular expressions to specify labels that
235       match multiple files.
236
237       The following file types are defined for rsync:
238
239
240
241       rsync_data_t
242
243       - Set files with the rsync_data_t type, if you want to treat the  files
244       as rsync content.
245
246
247
248       rsync_etc_t
249
250       - Set files with the rsync_etc_t type, if you want to store rsync files
251       in the /etc directories.
252
253
254
255       rsync_exec_t
256
257       - Set files with the rsync_exec_t type, if you want  to  transition  an
258       executable to the rsync_t domain.
259
260
261
262       rsync_log_t
263
264       - Set files with the rsync_log_t type, if you want to treat the data as
265       rsync log data, usually stored under the /var/log directory.
266
267
268
269       rsync_tmp_t
270
271       - Set files with the rsync_tmp_t type, if you want to store rsync  tem‐
272       porary files in the /tmp directories.
273
274
275
276       rsync_var_run_t
277
278       -  Set  files  with  the rsync_var_run_t type, if you want to store the
279       rsync files under the /run or /var/run directory.
280
281
282       Paths:
283            /var/run/rsyncd.lock, /var/run/swift_server.lock
284
285
286       Note: File context can be temporarily modified with the chcon  command.
287       If  you want to permanently change the file context you need to use the
288       semanage fcontext command.  This will modify the SELinux labeling data‐
289       base.  You will need to use restorecon to apply the labels.
290
291

SHARING FILES

293       If  you  want to share files with multiple domains (Apache, FTP, rsync,
294       Samba), you can set a file context of public_content_t and  public_con‐
295       tent_rw_t.   These  context  allow any of the above domains to read the
296       content.  If you want a particular domain to write to  the  public_con‐
297       tent_rw_t domain, you must set the appropriate boolean.
298
299       Allow rsync servers to read the /var/rsync directory by adding the pub‐
300       lic_content_t file type to the directory  and  by  restoring  the  file
301       type.
302
303       semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
304       restorecon -F -R -v /var/rsync
305
306       Allow rsync servers to read and write /var/rsync/incoming by adding the
307       public_content_rw_t type to the directory and  by  restoring  the  file
308       type.  You also need to turn on the rsync_anon_write boolean.
309
310       semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?"
311       restorecon -F -R -v /var/rsync/incoming
312       setsebool -P rsync_anon_write 1
313
314
315       If  you want to allow rsync to modify public files used for public file
316       transfer  services.   Files/Directories  must  be  labeled  public_con‐
317       tent_rw_t., you must turn on the rsync_anon_write boolean.
318
319       setsebool -P rsync_anon_write 1
320
321

COMMANDS

323       semanage  fcontext  can also be used to manipulate default file context
324       mappings.
325
326       semanage permissive can also be used to manipulate  whether  or  not  a
327       process type is permissive.
328
329       semanage  module can also be used to enable/disable/install/remove pol‐
330       icy modules.
331
332       semanage port can also be used to manipulate the port definitions
333
334       semanage boolean can also be used to manipulate the booleans
335
336
337       system-config-selinux is a GUI tool available to customize SELinux pol‐
338       icy settings.
339
340

AUTHOR

342       This manual page was auto-generated using sepolicy manpage .
343
344

SEE ALSO

346       selinux(8),  rsync(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
347       icy(8), setsebool(8)
348
349
350
351rsync                              23-02-03                   rsync_selinux(8)
Impressum