Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
selinux and rsync in chroot
gentoo-security at candlefire
Jun 23, 2005, 1:13 AM
Post #1 of 4 (2626 views)
Permalink
I am fairly new to selinux and while I have a seemingly working install,
when its in enforcing mode I get errors trying to sync other gentoo
boxes portage tree, like:

Jun 23 01:35:21 yorke rsyncd[18130]: chroot /usr/portage failed:
Permission denied

It's the only error I can see anywhere about it, and I can't seem to
locate any log of the selinux denial, neither while in enforcing or in
permissive. However in permissive mode, the sync works as expected.

I can see some grsec denials (not related to rsyncd) in
/var/log/grsec.log (running syslog-ng, btw) but nothing selinux related
in /var/log/kern.log or /var/log/messages and from what I have read thus
far I am certain that I should be getting something. kern.log and
messages both contain "security:" entries when I load a new selinux
policy. Is there just some verbosity flag I missed so I can start
logging these denials?

I thought perhaps I needed to reload the rsync selinux policy and was
surprised there wasn't one to be found, not installed or in portage,
unless its wrapped up in the base policy. Am I missing something? I see
policies for distcc and bind amongst many others, but nothing for rsync?

How can I go about resolving this, and I mean that more like, I'd
greatly appreciate learning how, not just waltzing through some blind
steps. Sorry if I threw too much out there at once, but that much for
any advice.

Regards,

--
Jason K Larson
--
gentoo-security@gentoo.org mailing list
Re: selinux and rsync in chroot [ In reply to ]
pauldv at gentoo
Jun 23, 2005, 3:20 AM
Post #2 of 4 (2575 views)
Permalink
On Thursday 23 June 2005 10:13, Jason K Larson wrote:
> I am fairly new to selinux and while I have a seemingly working
> install, when its in enforcing mode I get errors trying to sync other
> gentoo boxes portage tree, like:
>
> Jun 23 01:35:21 yorke rsyncd[18130]: chroot /usr/portage failed:
> Permission denied
>
> It's the only error I can see anywhere about it, and I can't seem to
> locate any log of the selinux denial, neither while in enforcing or in
> permissive. However in permissive mode, the sync works as expected.
>
> I can see some grsec denials (not related to rsyncd) in
> /var/log/grsec.log (running syslog-ng, btw) but nothing selinux related
> in /var/log/kern.log or /var/log/messages and from what I have read
> thus far I am certain that I should be getting something. kern.log and
> messages both contain "security:" entries when I load a new selinux
> policy. Is there just some verbosity flag I missed so I can start
> logging these denials?

Yes, you need to enable a specific kernel option to log selinux messages.
Then you should be able to recieve them.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: selinux and rsync in chroot [ In reply to ]
antoine at nagafix
Jun 23, 2005, 5:52 AM
Post #3 of 4 (2577 views)
Permalink
> I thought perhaps I needed to reload the rsync selinux policy and was
> surprised there wasn't one to be found, not installed or in portage,
> unless its wrapped up in the base policy. Am I missing something? I see
> policies for distcc and bind amongst many others, but nothing for rsync?
I can't tell you which ebuild it came from (portage won't tell you), but
I have a policy for rsync. Which versions do you have?

Antoine

--
gentoo-security@gentoo.org mailing list
Re: selinux and rsync in chroot [ In reply to ]
spb at gentoo
Jun 23, 2005, 7:57 AM
Post #4 of 4 (2574 views)
Permalink
On Thu, 23 Jun 2005 02:13:35 -0600
Jason K Larson <gentoo-security@candlefire.org> wrote:

> I am fairly new to selinux and while I have a seemingly working
> install, when its in enforcing mode I get errors trying to sync other
> gentoo boxes portage tree, like:
>
> Jun 23 01:35:21 yorke rsyncd[18130]: chroot /usr/portage failed:
> Permission denied

Try something like:

r_dir_file(rsyncd_t, portage_ebuild_t)

>
> It's the only error I can see anywhere about it, and I can't seem to
> locate any log of the selinux denial, neither while in enforcing or
> in permissive. However in permissive mode, the sync works as
> expected.
>
> I can see some grsec denials (not related to rsyncd) in
> /var/log/grsec.log (running syslog-ng, btw) but nothing selinux
> related in /var/log/kern.log or /var/log/messages and from what I
> have read thus far I am certain that I should be getting something.
> kern.log and messages both contain "security:" entries when I load a
> new selinux policy. Is there just some verbosity flag I missed so I
> can start logging these denials?

Kernel config -> General Setup -> Auditing support.

>
> I thought perhaps I needed to reload the rsync selinux policy and was
> surprised there wasn't one to be found, not installed or in portage,
> unless its wrapped up in the base policy. Am I missing something? I
> see policies for distcc and bind amongst many others, but nothing for
> rsync?

It's in selinux-base-policy.

>
> How can I go about resolving this, and I mean that more like, I'd
> greatly appreciate learning how, not just waltzing through some blind
> steps. Sorry if I threw too much out there at once, but that much
> for any advice.

BTW, this should probably be on the gentoo-hardened list rather than
this one -- support for hardened gentoo projects generally belongs
there.
--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal