-
Run getenforce
to confirm SELinux is running in enforcing mode:
$ getenforce
Enforcing
The getenforce
command returns Enforcing
when SELinux is running in enforcing mode.
-
Run the which
command to confirm that the rsync binary is in the system path:
$ which rsync
/usr/bin/rsync
-
When running rsync
as a daemon, a configuration file should be used and saved as /etc/rsyncd.conf
. Note that the following configuration file used in this example is very simple and is not indicative of all the possible options that are available, rather it is just enough to demonstrate the rsync
daemon:
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
[files]
path = /srv/files
comment = file area
read only = false
timeout = 300
-
Now that a simple configuration file exists for rsync to operate in daemon mode, this step demonstrates that simply running rsync --daemon
is not sufficient for SELinux to offer its protection over rsync. Refer to the following output:
# rsync --daemon
# ps x | grep rsync
8231 ? Ss 0:00 rsync --daemon
8233 pts/3 S+ 0:00 grep rsync
# ps -eZ | grep rsync
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8231 ? 00:00:00 rsync
Note that in the output from the final ps
command, the context shows the rsync
daemon running in the unconfined_t
domain. This indicates that rsync has not transitioned to the rsync_t
domain as it was launched by the rsync --daemon
command. At this point SELinux can not enforce its rules and policy over this daemon. Refer to the following steps to see how to fix this problem. In the following steps, rsync
will transition to the rsync_t
domain by launching it from a properly-labeled init script. Only then can SELinux and its protection mechanisms have an effect over rsync
. This rsync
process should be killed before proceeding to the next step.
-
A custom init script for rsync is needed for this step. Save the following to /etc/rc.d/init.d/rsyncd
.
#!/bin/bash
# Source function library.
. /etc/rc.d/init.d/functions
[ -f /usr/bin/rsync ] || exit 0
case "$1" in
start)
action "Starting rsyncd: " /usr/bin/rsync --daemon
;;
stop)
action "Stopping rsyncd: " killall rsync
;;
*)
echo "Usage: rsyncd {start|stop}"
exit 1
esac
exit 0
The following steps show how to label this script as initrc_exec_t
:
-
Run the semanage
command to add a context mapping for /etc/rc.d/init.d/rsyncd
:
semanage fcontext -a -t initrc_exec_t "/etc/rc.d/init.d/rsyncd"
-
This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local
file:
# grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local
/etc/rc.d/init.d/rsyncd system_u:object_r:initrc_exec_t:s0
-
Now use the restorecon
command to apply this context mapping to the running system:
restorecon -R -v /etc/rc.d/init.d/rsyncd
-
Run the ls -lZ
command to confirm the script has been labeled appropriately. Note that in the following output the script has been labeled as initrc_exec_t
:
ls -lZ /etc/rc.d/init.d/rsyncd
-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/rsyncd
-
Launch rsyncd
via the new script. Now that rsync has started from an init script that has been appropriately labeled, the process will start as rsync_t
:
# service rsyncd start
Starting rsyncd: [ OK ]
ps -eZ | grep rsync
unconfined_u:system_r:rsync_t:s0 9794 ? 00:00:00 rsync
SELinux can now enforce its protection mechanisms over the rsync
daemon as it is now runing in the rsync_t
domain.