Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

22.4. Configuration Examples

22.4.1. Rsync as a daemon
Link kopieren

When using Red Hat Enterprise Linux, rsync can be used as a daemon so that multiple clients can directly communicate with it as a central server, in order to house centralized files and keep them synchronized. The following example will demonstrate running rsync as a daemon over a network socket in the correct domain, and how SELinux expects this daemon to be running on a pre-defined (in SELinux policy) TCP port. This example will then show how to modify SELinux policy to allow the rsync daemon to run normally on a non-standard port.
This example will be performed on a single system to demonstrate SELinux policy and its control over local daemons and processes. Note that this is an example only and demonstrates how SELinux can affect rsync. Comprehensive documentation of rsync is beyond the scope of this document. See the official rsync documentation for further details. This example assumes that the rsync, setroubleshoot-server and audit packages are installed, that the SELinux targeted policy is used and that SELinux is running in enforcing mode.

Procedure 22.1. Getting rsync to launch as rsync_t

  1. Run the getenforce command to confirm SELinux is running in enforcing mode: 
    ~]$ getenforce
Enforcing
    Copy to Clipboard Toggle word wrap
    The command returns Enforcing when SELinux is running in enforcing mode.
  2. Run the which command to confirm that the rsync binary is in the system path: 
    ~]$ which rsync
/usr/bin/rsync
    Copy to Clipboard Toggle word wrap
  3. When running rsync as a daemon, a configuration file should be used and saved as /etc/rsyncd.conf. Note that the following configuration file used in this example is very simple and is not indicative of all the possible options that are available, rather it is just enough to demonstrate the rsync daemon: 
    log file = /var/log/rsync.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
[files]
	path = /srv/rsync
        comment = file area
        read only = false
        timeout = 300
    Copy to Clipboard Toggle word wrap
  4. Now that a simple configuration file exists for rsync to operate in daemon mode, you can start it by running the following command: 
    ~]# systemctl start rsyncd.service
    Copy to Clipboard Toggle word wrap
    Ensure that rsyncd was successfully started (the output is supposed to look similar to the one below, only the time stamp will differ): 
    ~]# systemctl status rsyncd.service
rsyncd.service - fast remote file copy program daemon
   Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled)
   Active: active (running) since Thu 2014-02-27 09:46:24 CET; 2s ago
 Main PID: 3220 (rsync)
   CGroup: /system.slice/rsyncd.service
           └─3220 /usr/bin/rsync --daemon --no-detach
    Copy to Clipboard Toggle word wrap
    SELinux can now enforce its protection mechanisms over the rsync daemon as it is now running in the rsync_t domain: 
    ~]$ ps -eZ | grep rsync
system_u:system_r:rsync_t:s0     3220 ?        00:00:00 rsync
    Copy to Clipboard Toggle word wrap
This example demonstrated how to get rsyncd running in the rsync_t domain. Rsync can also be run as a socket-activated service. In that case, the rsyncd is not executed until a client tries to connect to the service. To enable rsyncd to run as a socket-activated service, follow the steps above. To start rsyncd as a socket-activated service, enter the following command as root: 
~]# systemctl start rsyncd.socket
Copy to Clipboard Toggle word wrap
The next example shows how to get this daemon successfully running on a non-default port. TCP port 10000 is used in the next example.

Procedure 22.2. Running the rsync daemon on a non-default port

  1. Modify the /etc/rsyncd.conf file and add the port = 10000 line at the top of the file in the global configuration area (that is, before any file areas are defined). The new configuration file will look like: 
    log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 10000
[files]
        path = /srv/rsync
        comment = file area
        read only = false
	timeout = 300
    Copy to Clipboard Toggle word wrap
  2. After launching the rsync daemon with this new setting, a denial message similar to the following is logged by SELinux: 
    Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages, run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8
    Copy to Clipboard Toggle word wrap
  3. Use the semanage utility to add TCP port 10000 to the SELinux policy in rsync_port_t: 
    ~]# semanage port -a -t rsync_port_t -p tcp 10000
    Copy to Clipboard Toggle word wrap
  4. Now that TCP port 10000 has been added to the SELinux policy for rsync_port_t, rsyncd will start and operate normally on this port: 
    ~]# systemctl start rsyncd.service
    Copy to Clipboard Toggle word wrap 
    ~]# netstat -lnp | grep 10000
tcp        0      0 0.0.0.0:10000   0.0.0.0:*      LISTEN      9910/rsync
    Copy to Clipboard Toggle word wrap
SELinux has had its policy modified and is now permitting rsyncd to operate on TCP port 10000.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat