[DSE-Dev] Fixing rsync in stable

Mika Pflüger debian at mikapflueger.de
Tue Aug 13 21:49:21 UTC 2013


Hi,

in stable with selinux-policy-default enabled, you can't copy things
from a selinux-enabled host using rsync like this:
rsync -av [selinux-protected-wheezy]:/etc .
This is because rsync does not have the permissions to interact with
pipes inherited from sshd, which it needs when using ssh as a transport.

grift from #selinux (he's doing selinux-work in fedora, I believe)
suggested forcing unconfined_t to not transition to rsync when running
rsync, which would certainly fix this (that is how it is done in
fedora), but I guessed the proper fix would be to fix the actual issue,
which also fixes it for confined domains. I pushed a patch to the
wheezy branch in git, and it is also attached. I think we should get
this fix into stable (and probably more I'll discover during the next
days), and it might be easiest to get them into unstable (considering
stable and unstable still have the same version), let them migrate to
testing and request a stable update then. I'd do the requesting part.

But please comment if you think my patch is sensible, if you think it
is I'll try to push it upstream as well, so that this is fixed for the
future.

Cheers,

Mika

-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0340-fix-rsync.patch
Type: text/x-patch
Size: 1210 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130813/bf4093b1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130813/bf4093b1/attachment.sig>


More information about the SELinux-devel mailing list