|
Chris PeBenito |
bf080a |
.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
|
|
Chris PeBenito |
bf080a |
.SH "NAME"
|
|
Chris PeBenito |
bf080a |
rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
|
|
Chris PeBenito |
bf080a |
.SH "DESCRIPTION"
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
Security-Enhanced Linux secures the rsync server via flexible mandatory access
|
|
Chris PeBenito |
bf080a |
control.
|
|
Chris PeBenito |
bf080a |
.SH FILE_CONTEXTS
|
|
Chris PeBenito |
bf080a |
SELinux requires files to have an extended attribute to define the file type.
|
|
Chris PeBenito |
bf080a |
Policy governs the access daemons have to these files.
|
|
Chris PeBenito |
bf080a |
If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
|
|
Chris PeBenito |
bf080a |
would need to label the directory with the chcon tool.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
chcon -t public_content_t /var/rsync
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
/var/rsync(/.*)? system_u:object_r:public_content_t
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH SHARING FILES
|
|
Chris PeBenito |
bf080a |
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P allow_rsync_anon_write=1
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH BOOLEANS
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
You can disable SELinux protection for the rsync daemon by executing:
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
setsebool -P rsync_disable_trans 1
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
service xinetd restart
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
|
Chris PeBenito |
bf080a |
.SH AUTHOR
|
|
Chris PeBenito |
bf080a |
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH "SEE ALSO"
|
|
Chris PeBenito |
bf080a |
selinux(8), rsync(1), chcon(1), setsebool(8)
|