SELinux/rsync

From FedoraProject

< SELinux
Revision as of 14:13, 24 May 2008 by ImportUser (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
rsync_selinux(8)      rsync Selinux Policy documentation      rsync_selinux(8)

NAME
rsync_selinux - Security Enhanced Linux Policy for the rsync daemon

DESCRIPTION
Security-Enhanced Linux secures the rsync server via flexible mandatory
access control.

FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file
type.   Policy  governs the access daemons have to these files.  If you
want to share files using the rsync daemon, you must  label  the  files
and  directories  public_content_t.  So if you created a special direc-
tory /var/rsync, you would need to label the directory with  the  chcon
tool.

chcon -t public_content_t /var/rsync

If  you  want  to make this permanant, i.e. survive a relabel, you must
add an entry to the file_contexts.local file.

/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
/var/rsync(/.*)? system_u:object_r:public_content_t

SHARING FILES
If  you  want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and  public_con-
tent_rw_t.   These  context  allow any of the above domains to read the
content.  If you want a particular domain to write to  the  public_con-
tent_rw_t    domain,    you   must   set   the   appropriate   boolean.
allow_DOMAIN_anon_write.  So for rsync you would execute:

setsebool -P allow_rsync_anon_write=1

BOOLEANS
You can disable SELinux protection for the rsync daemon by executing:

setsebool -P rsync_disable_trans 1
service xinetd restart

system-config-securitylevel  is  a  GUI  tool  available  to  customize
SELinux policy settings.

AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO
selinux(8), rsync(1), chcon(1), setsebool(8)

dwalsh@redhat.com                 17 Jan 2005                 rsync_selinux(8)