11.4. Configuration Examples

Procedure 11.1. Getting rsync to launch as rsync_t

1. Run the getenforce command to confirm SELinux is running in enforcing mode:

   ~]$ getenforce
   Enforcing

   Copy to Clipboard Toggle word wrap
   The getenforce command returns Enforcing when SELinux is running in enforcing mode.
2. Run the which command to confirm that the rsync binary is in the system path:

   ~]$ which rsync
   /usr/bin/rsync

   Copy to Clipboard Toggle word wrap
3. When running rsync as a daemon, a configuration file should be used and saved as /etc/rsyncd.conf. Note that the following configuration file used in this example is very simple and is not indicative of all the possible options that are available, rather it is just enough to demonstrate the rsync daemon:

   log file = /var/log/rsync.log
   pid file = /var/run/rsyncd.pid
   lock file = /var/run/rsync.lock
   [files]
           path = /srv/files
           comment = file area
           read only = false
   	timeout = 300

   Copy to Clipboard Toggle word wrap
4. Now that a simple configuration file exists for rsync to operate in daemon mode, this step demonstrates that simply running the rsync --daemon command is not sufficient for SELinux to offer its protection over rsync. See the following output:

   ~]# rsync --daemon
   
   ~]# ps x | grep rsync
    8231 ?        Ss     0:00 rsync --daemon
    8233 pts/3    S+     0:00 grep rsync
   
   ~]# ps -eZ | grep rsync
   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8231 ? 00:00:00 rsync

   Copy to Clipboard Toggle word wrap
   Note that in the output from the final ps command, the context shows the rsync daemon running in the unconfined_t domain. This indicates that rsync has not transitioned to the rsync_t domain as it was launched by the rsync --daemon command. At this point, SELinux cannot enforce its rules and policy over this daemon. See the following steps to see how to fix this problem.
   In the following steps, rsync transitions to the rsync_t domain because it launched it from a properly-labeled init script. Only then can SELinux and its protection mechanisms have an effect over rsync. This rsync process should be killed before proceeding to the next step.
5. A custom init script for rsync is needed for this step. Save the following to /etc/rc.d/init.d/rsyncd.

   #!/bin/bash
   
   # Source function library.
   . /etc/rc.d/init.d/functions
   
   [ -f /usr/bin/rsync ] || exit 0
   
   case "$1" in
   start)
   action "Starting rsyncd: " /usr/bin/rsync --daemon
   ;;
   stop)
   action "Stopping rsyncd: " killall rsync
   ;;
   *)
   echo "Usage: rsyncd {start|stop}"
   exit 1
   esac
   exit 0

   Copy to Clipboard Toggle word wrap
   The following steps show how to label this script as initrc_exec_t:
6. Run the semanage command to add a context mapping for /etc/rc.d/init.d/rsyncd:

   ~]# semanage fcontext -a -t initrc_exec_t "/etc/rc.d/init.d/rsyncd"

   Copy to Clipboard Toggle word wrap
7. This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

   ~]# grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local
   
   /etc/rc.d/init.d/rsyncd    system_u:object_r:initrc_exec_t:s0

   Copy to Clipboard Toggle word wrap
8. Now use the restorecon command to apply this context mapping to the running system:

   ~]# restorecon -R -v /etc/rc.d/init.d/rsyncd

   Copy to Clipboard Toggle word wrap
9. Run the ls -lZ command to confirm the script has been labeled appropriately. Note that in the following output, the script has been labeled as initrc_exec_t:

   ~]$ ls -lZ /etc/rc.d/init.d/rsyncd
   -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/rsyncd

   Copy to Clipboard Toggle word wrap
10. Turn on the rsync_server SELinux boolean:

    ~]# setsebool rsync_server on

    Copy to Clipboard Toggle word wrap
    Note that this setting is not permanent and as such, it will revert to its original state after a reboot. To make the setting permanent, use the -P option with the setsebool command.
11. Launch rsyncd via the new script. Now that rsync has started from an init script that had been appropriately labeled, the process has started as rsync_t:

    ~]# service rsyncd start
    Starting rsyncd:                                           [  OK  ]
    
    $ ps -eZ | grep rsync
    unconfined_u:system_r:rsync_t:s0 9794 ?        00:00:00 rsync

    Copy to Clipboard Toggle word wrap
    SELinux can now enforce its protection mechanisms over the rsync daemon as it is now runing in the rsync_t domain.

Procedure 11.2. Running the rsync daemon on a non-default port

1. Modify the /etc/rsyncd.conf file and add the port = 10000 line at the top of the file in the global configuration area (that is, before any file areas are defined). The new configuration file will look like:

   log file = /var/log/rsyncd.log
   pid file = /var/run/rsyncd.pid
   lock file = /var/run/rsync.lock
   port = 10000
   [files]
           path = /srv/files
           comment = file area
           read only = false
   	timeout = 300

   Copy to Clipboard Toggle word wrap
2. After launching rsync from the init script with this new setting, a denial similar to the following is logged by SELinux:

   Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages, run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8

   Copy to Clipboard Toggle word wrap
3. Run semanage to add TCP port 10000 to SELinux policy in rsync_port_t:

   ~]# semanage port -a -t rsync_port_t -p tcp 10000

   Copy to Clipboard Toggle word wrap
4. Now that TCP port 10000 has been added to SELinux policy for rsync_port_t, rsyncd will start and operate normally on this port:

   ~]# service rsyncd start
   Starting rsyncd:                                           [  OK  ]
   

   Copy to Clipboard Toggle word wrap

   ~]# netstat -lnp | grep 10000
   tcp        0      0 0.0.0.0:10000   0.0.0.0:*      LISTEN      9910/rsync

   Copy to Clipboard Toggle word wrap