Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

11.4. Configuration Examples

11.4.1. Rsync as a daemon

When using Red Hat Enterprise Linux, rsync can be used as a daemon, so that multiple clients can directly communicate with it as a central server in order to house centralized files and keep them synchronized. The following example demonstrates running rsync as a daemon over a network socket in the correct domain, and how SELinux expects this daemon to be running on a pre-defined (in SELinux policy) TCP port. This example then shows how to modify SELinux policy to allow the rsync daemon to run normally on a non-standard port.
This example is performed on a single system to demonstrate SELinux policy and its control over local daemons and processes. Note that this is an example only and demonstrates how SELinux can affect rsync. Comprehensive documentation of rsync is beyond the scope of this document. See the official rsync documentation for further details. This example assumes that the rsync, setroubleshoot-server and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.

Procedure 11.1. Getting rsync to launch as rsync_t

  1. Run the getenforce command to confirm SELinux is running in enforcing mode:
    ~]$ getenforce
    Enforcing
    The getenforce command returns Enforcing when SELinux is running in enforcing mode.
  2. Run the which command to confirm that the rsync binary is in the system path:
    ~]$ which rsync
    /usr/bin/rsync
  3. When running rsync as a daemon, a configuration file should be used and saved as /etc/rsyncd.conf. Note that the following configuration file used in this example is very simple and is not indicative of all the possible options that are available, rather it is just enough to demonstrate the rsync daemon:
    log file = /var/log/rsync.log
    pid file = /var/run/rsyncd.pid
    lock file = /var/run/rsync.lock
    [files]
            path = /srv/files
            comment = file area
            read only = false
    	timeout = 300
  4. Now that a simple configuration file exists for rsync to operate in daemon mode, this step demonstrates that simply running the rsync --daemon command is not sufficient for SELinux to offer its protection over rsync. See the following output:
    ~]# rsync --daemon
    
    ~]# ps x | grep rsync
     8231 ?        Ss     0:00 rsync --daemon
     8233 pts/3    S+     0:00 grep rsync
    
    ~]# ps -eZ | grep rsync
    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8231 ? 00:00:00 rsync
    Note that in the output from the final ps command, the context shows the rsync daemon running in the unconfined_t domain. This indicates that rsync has not transitioned to the rsync_t domain as it was launched by the rsync --daemon command. At this point, SELinux cannot enforce its rules and policy over this daemon. See the following steps to see how to fix this problem.
    In the following steps, rsync transitions to the rsync_t domain because it launched it from a properly-labeled init script. Only then can SELinux and its protection mechanisms have an effect over rsync. This rsync process should be killed before proceeding to the next step.
  5. A custom init script for rsync is needed for this step. Save the following to /etc/rc.d/init.d/rsyncd.
    #!/bin/bash
    
    # Source function library.
    . /etc/rc.d/init.d/functions
    
    [ -f /usr/bin/rsync ] || exit 0
    
    case "$1" in
    start)
    action "Starting rsyncd: " /usr/bin/rsync --daemon
    ;;
    stop)
    action "Stopping rsyncd: " killall rsync
    ;;
    *)
    echo "Usage: rsyncd {start|stop}"
    exit 1
    esac
    exit 0
    The following steps show how to label this script as initrc_exec_t:
  6. Run the semanage command to add a context mapping for /etc/rc.d/init.d/rsyncd:
    ~]# semanage fcontext -a -t initrc_exec_t "/etc/rc.d/init.d/rsyncd"
  7. This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:
    ~]# grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local
    
    /etc/rc.d/init.d/rsyncd    system_u:object_r:initrc_exec_t:s0
  8. Now use the restorecon command to apply this context mapping to the running system:
    ~]# restorecon -R -v /etc/rc.d/init.d/rsyncd
  9. Run the ls -lZ command to confirm the script has been labeled appropriately. Note that in the following output, the script has been labeled as initrc_exec_t:
    ~]$ ls -lZ /etc/rc.d/init.d/rsyncd
    -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/rsyncd
  10. Turn on the rsync_server SELinux boolean:
    ~]# setsebool rsync_server on
    Note that this setting is not permanent and as such, it will revert to its original state after a reboot. To make the setting permanent, use the -P option with the setsebool command.
  11. Launch rsyncd via the new script. Now that rsync has started from an init script that had been appropriately labeled, the process has started as rsync_t:
    ~]# service rsyncd start
    Starting rsyncd:                                           [  OK  ]
    
    $ ps -eZ | grep rsync
    unconfined_u:system_r:rsync_t:s0 9794 ?        00:00:00 rsync
    SELinux can now enforce its protection mechanisms over the rsync daemon as it is now runing in the rsync_t domain.
This example demonstrated how to get rsyncd running in the rsync_t domain. The next example shows how to get this daemon successfully running on a non-default port. TCP port 10000 is used in the next example.

Procedure 11.2. Running the rsync daemon on a non-default port

  1. Modify the /etc/rsyncd.conf file and add the port = 10000 line at the top of the file in the global configuration area (that is, before any file areas are defined). The new configuration file will look like:
    log file = /var/log/rsyncd.log
    pid file = /var/run/rsyncd.pid
    lock file = /var/run/rsync.lock
    port = 10000
    [files]
            path = /srv/files
            comment = file area
            read only = false
    	timeout = 300
  2. After launching rsync from the init script with this new setting, a denial similar to the following is logged by SELinux:
    Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages, run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8
  3. Run semanage to add TCP port 10000 to SELinux policy in rsync_port_t:
    ~]# semanage port -a -t rsync_port_t -p tcp 10000
  4. Now that TCP port 10000 has been added to SELinux policy for rsync_port_t, rsyncd will start and operate normally on this port:
    ~]# service rsyncd start
    Starting rsyncd:                                           [  OK  ]
    
    ~]# netstat -lnp | grep 10000
    tcp        0      0 0.0.0.0:10000   0.0.0.0:*      LISTEN      9910/rsync
SELinux has had its policy modified and is now permitting rsyncd to operate on TCP port 10000.