Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

11.4. Configuration Examples

11.4.1. Rsync as a daemon

When using Red Hat Enterprise Linux, rsync can be used as a daemon, so that multiple clients can directly communicate with it as a central server in order to house centralized files and keep them synchronized. The following example demonstrates running rsync as a daemon over a network socket in the correct domain, and how SELinux expects this daemon to be running on a pre-defined (in SELinux policy) TCP port. This example then shows how to modify SELinux policy to allow the rsync daemon to run normally on a non-standard port.

This example is performed on a single system to demonstrate SELinux policy and its control over local daemons and processes. Note that this is an example only and demonstrates how SELinux can affect rsync. Comprehensive documentation of rsync is beyond the scope of this document. See the official rsync documentation for further details. This example assumes that the rsync, setroubleshoot-server and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.

Procedure 11.1. Getting rsync to launch as rsync_t

Run the getenforce command to confirm SELinux is running in enforcing mode:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]$ getenforce
Enforcing
```
```
~]$ getenforce
Enforcing
```
The getenforce command returns Enforcing when SELinux is running in enforcing mode.
Run the which command to confirm that the rsync binary is in the system path:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]$ which rsync
/usr/bin/rsync
```
```
~]$ which rsync
/usr/bin/rsync
```

When running rsync as a daemon, a configuration file should be used and saved as /etc/rsyncd.conf. Note that the following configuration file used in this example is very simple and is not indicative of all the possible options that are available, rather it is just enough to demonstrate the rsync daemon:

Copy to Clipboard Toggle word wrap

log file = /var/log/rsync.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
[files]
        path = /srv/files
        comment = file area
        read only = false
	timeout = 300

log file = /var/log/rsync.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
[files]
        path = /srv/files
        comment = file area
        read only = false
	timeout = 300

Now that a simple configuration file exists for rsync to operate in daemon mode, this step demonstrates that simply running the rsync --daemon command is not sufficient for SELinux to offer its protection over rsync. See the following output:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# rsync --daemon

~]# ps x | grep rsync
 8231 ?        Ss     0:00 rsync --daemon
 8233 pts/3    S+     0:00 grep rsync

~]# ps -eZ | grep rsync
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8231 ? 00:00:00 rsync
```
```
~]# rsync --daemon

~]# ps x | grep rsync
 8231 ?        Ss     0:00 rsync --daemon
 8233 pts/3    S+     0:00 grep rsync

~]# ps -eZ | grep rsync
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8231 ? 00:00:00 rsync
```
Note that in the output from the final ps command, the context shows the rsync daemon running in the unconfined_t domain. This indicates that rsync has not transitioned to the rsync_t domain as it was launched by the rsync --daemon command. At this point, SELinux cannot enforce its rules and policy over this daemon. See the following steps to see how to fix this problem.
In the following steps, rsync transitions to the rsync_t domain because it launched it from a properly-labeled init script. Only then can SELinux and its protection mechanisms have an effect over rsync. This rsync process should be killed before proceeding to the next step.

A custom init script for rsync is needed for this step. Save the following to /etc/rc.d/init.d/rsyncd.

Copy to Clipboard Toggle word wrap

Source function library.

#!/bin/bash

# Source function library.
. /etc/rc.d/init.d/functions

[ -f /usr/bin/rsync ] || exit 0

case "$1" in
start)
action "Starting rsyncd: " /usr/bin/rsync --daemon
;;
stop)
action "Stopping rsyncd: " killall rsync
;;
*)
echo "Usage: rsyncd {start|stop}"
exit 1
esac
exit 0

The following steps show how to label this script as initrc_exec_t:

Run the semanage command to add a context mapping for /etc/rc.d/init.d/rsyncd:

Copy to Clipboard Toggle word wrap

~]# semanage fcontext -a -t initrc_exec_t "/etc/rc.d/init.d/rsyncd"

~]# semanage fcontext -a -t initrc_exec_t "/etc/rc.d/init.d/rsyncd"

This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

Copy to Clipboard Toggle word wrap

~]# grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local

/etc/rc.d/init.d/rsyncd    system_u:object_r:initrc_exec_t:s0

~]# grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local

/etc/rc.d/init.d/rsyncd    system_u:object_r:initrc_exec_t:s0

Now use the restorecon command to apply this context mapping to the running system:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# restorecon -R -v /etc/rc.d/init.d/rsyncd
```
```
~]# restorecon -R -v /etc/rc.d/init.d/rsyncd
```

Run the ls -lZ command to confirm the script has been labeled appropriately. Note that in the following output, the script has been labeled as initrc_exec_t:

Copy to Clipboard Toggle word wrap

~]$ ls -lZ /etc/rc.d/init.d/rsyncd
-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/rsyncd

~]$ ls -lZ /etc/rc.d/init.d/rsyncd
-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/rsyncd

Turn on the rsync_server SELinux boolean:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# setsebool rsync_server on
```
```
~]# setsebool rsync_server on
```
Note that this setting is not permanent and as such, it will revert to its original state after a reboot. To make the setting permanent, use the -P option with the setsebool command.

Launch rsyncd via the new script. Now that rsync has started from an init script that had been appropriately labeled, the process has started as rsync_t:

Copy to Clipboard Toggle word wrap

~]# service rsyncd start
Starting rsyncd:                                           [  OK  ]

$ ps -eZ | grep rsync
unconfined_u:system_r:rsync_t:s0 9794 ?        00:00:00 rsync

~]# service rsyncd start
Starting rsyncd:                                           [  OK  ]

$ ps -eZ | grep rsync
unconfined_u:system_r:rsync_t:s0 9794 ?        00:00:00 rsync

SELinux can now enforce its protection mechanisms over the rsync daemon as it is now runing in the rsync_t domain.

This example demonstrated how to get rsyncd running in the rsync_t domain. The next example shows how to get this daemon successfully running on a non-default port. TCP port 10000 is used in the next example.

Procedure 11.2. Running the rsync daemon on a non-default port

Modify the /etc/rsyncd.conf file and add the port = 10000 line at the top of the file in the global configuration area (that is, before any file areas are defined). The new configuration file will look like:

Copy to Clipboard Toggle word wrap

log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 10000
[files]
        path = /srv/files
        comment = file area
        read only = false
	timeout = 300

log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 10000
[files]
        path = /srv/files
        comment = file area
        read only = false
	timeout = 300

After launching rsync from the init script with this new setting, a denial similar to the following is logged by SELinux:

Copy to Clipboard Toggle word wrap

Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages, run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8

Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages, run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8

Run semanage to add TCP port 10000 to SELinux policy in rsync_port_t:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# semanage port -a -t rsync_port_t -p tcp 10000
```
```
~]# semanage port -a -t rsync_port_t -p tcp 10000
```

Now that TCP port 10000 has been added to SELinux policy for rsync_port_t, rsyncd will start and operate normally on this port:

Copy to Clipboard Toggle word wrap

~]# service rsyncd start
Starting rsyncd:                                           [  OK  ]

~]# service rsyncd start
Starting rsyncd:                                           [  OK  ]

Copy to Clipboard Toggle word wrap

~]# netstat -lnp | grep 10000
tcp        0      0 0.0.0.0:10000   0.0.0.0:*      LISTEN      9910/rsync

~]# netstat -lnp | grep 10000
tcp        0      0 0.0.0.0:10000   0.0.0.0:*      LISTEN      9910/rsync

SELinux has had its policy modified and is now permitting rsyncd to operate on TCP port 10000.

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

11.4. Configuration Examples

11.4.1. Rsync as a daemon

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Mehr Inklusion in Open Source

Über Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links