[DSE-Dev] Fixing rsync in stable

Tue, 13 Aug 2013 14:51:00 -0700 

Hi,

in stable with selinux-policy-default enabled, you can't copy things
from a selinux-enabled host using rsync like this:
rsync -av [selinux-protected-wheezy]:/etc .
This is because rsync does not have the permissions to interact with
pipes inherited from sshd, which it needs when using ssh as a transport.

grift from #selinux (he's doing selinux-work in fedora, I believe)
suggested forcing unconfined_t to not transition to rsync when running
rsync, which would certainly fix this (that is how it is done in
fedora), but I guessed the proper fix would be to fix the actual issue,
which also fixes it for confined domains. I pushed a patch to the
wheezy branch in git, and it is also attached. I think we should get
this fix into stable (and probably more I'll discover during the next
days), and it might be easiest to get them into unstable (considering
stable and unstable still have the same version), let them migrate to
testing and request a stable update then. I'd do the requesting part.

But please comment if you think my patch is sensible, if you think it
is I'll try to push it upstream as well, so that this is fixed for the
future.

Cheers,

Mika

-- 


Index: refpolicy/policy/modules/services/rsync.te
===================================================================
--- refpolicy.orig/policy/modules/services/rsync.te	2013-08-13 22:34:55.000000000 +0200
+++ refpolicy/policy/modules/services/rsync.te	2013-08-13 22:44:26.148268514 +0200
@@ -118,6 +118,12 @@
 ')
 
 optional_policy(`
+	ssh_sigchld(rsync_t)
+	ssh_rw_pipes(rsync_t)
+	ssh_use_fd(rsync_t)
+')
+
+optional_policy(`
 	inetd_service_domain(rsync_t, rsync_exec_t)
 ')
 
Index: refpolicy/policy/modules/services/ssh.if
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.if	2013-08-13 22:51:51.432858222 +0200
+++ refpolicy/policy/modules/services/ssh.if	2013-08-13 22:50:12.406910798 +0200
@@ -501,6 +501,23 @@
 
 	allow $1 sshd_t:fifo_file { write read getattr ioctl };
 ')
+########################################
+## <summary>
+##	Use an fd inherited from the sshd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_use_fd',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:fd use;
+')
 
 ########################################
 ## <summary>

Attachment: signature.asc
Description: PGP signature

_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Reply via email to