TL/DR: SELinux stopping Rsync from writing to local Repository Mirror from Public Repositories - Please Help
First off: Sorry if this is posted to the wrong thread.
I've been researching this issue for a few weeks now and I've gotten to the stage where I've overloaded my brain with information and now can't see the forest for the trees. I'm hoping some nice individual will take pity on me and help me out / point me in the right direction - and thanks in advance for being a nice person. :-)
We've got a local repository mirror server for a number of EL9 repos (Rocky Linux, Ghetto Forge, Remi, EPEL, etc) that we've set up to sync periodically. Everything is working properly except that SELinux is causing the rsync script(s) we are using (running as root via a systemd.timer) to return write permission issues. We know it's SELinux because when we (temporarily) disable SELinux everything works 100% AOK.
FTR: We're dumping the copied repos/files into the root/base directory: /repositories/el9/*.
The local mirror server is using NginX for its web-engine, and we can (web-)browse to all of the copied repos/files without issue, including downloading individual files from the local mirror by clicking on the file in the browser. So obviously we've got the http SELinux settings correct. :-)
The LAN dnf part of the system is working fine - ie our servers are running dnf both manually and automatically and pulling the software from our local mirror without issue.
So (I'm pretty sure) we need to set the correct SELinux values on the files/folders to allow rsync to (over-)write them — but I can't work out what the relevant SELinux command should be.
Could somebody please help?
Also FTR: Permanently disabling SELinux is not an option - the boss would have my head if I were to even suggest this. :-)
Thanks in advance
Dulux-Oz
TL;DR:
cat << EOF > cust_rsync.te
module cust_rsync 1.0;
require {
type rsync_t;
type httpd_sys_content_t;
class file { create open rename setattr unlink write };
}
#============= httpd_t ==============
allow rsync_t httpd_sys_content_t:file { create open rename setattr unlink write };
EOF
checkmodule -M -m -o cust_rsync.mod cust_rsync.te
semodule_package -o cust_rsync.pp -m cust_rsync.mod
semodule -i cust_rsync.pp
The answer:
Rsync is running with the type rsync_t and is trying to create, open, rename, setattr, unlink or write files with the type httpd_sys_content_t.
It is blocked by selinux, so it does try to get the capability dac_override to be able to ignore permissions, this is also blocked by selinux.
Running audit2allow -a indicates there is a boolean that might help you, rsync_full_access.
If you want to enable it, you juste have to do: setsebool -P rsync_full_access 1, although it would grant rsync full access.
In general, if the results of audit2allow -a are not mixed with other things, you can just allow what got blocked with :
audit2allow -a -M cust_rsync
semodule -i cust_rsync.pp
But in your case, it would allow the capability dac_override, so it's too much.
You can then do the longer process to do what you need. First you generate the type enforcement file from audit2allow -a: audit2allow -a -m cust_rsync > cust_rsync.te
You should have:
module cust_rsync 1.0;
require {
type rsync_t;
type httpd_sys_content_t;
type self;
class file { create open rename setattr unlink write };
class capability dac_override;
}
#============= rsync_t ==============
#!!!! This avc can be allowed using the boolean 'rsync_full_access'
allow rsync_t httpd_sys_content_t:file { create open rename setattr unlink write };
allow rsync_t self:capability dac_override;
You can remove the dac_override part and clean the dependencies:
module cust_rsync 1.0;
require {
type rsync_t;
type httpd_sys_content_t;
class file { create open rename setattr unlink write };
}
#============= rsync_t ==============
allow rsync_t httpd_sys_content_t:file { create open rename setattr unlink write };
And then compile and install the rules:
checkmodule -M -m -o cust_rsync.mod cust_rsync.te
semodule_package -o cust_rsync.pp -m cust_rsync.mod
semodule -i cust_rsync.pp
It is possible that once you do this, after running rsync again, new denials show.
If so, you just have to rerun with the new permission (for example, you would add append after write permission int the class line and in the allow line, then compile and install again.