Overview
When another SELinux confined process starts rsync, it fails with the following error.
rsync: Failed to exec ssh: Permission denied (13)The following error may appear in some cases.
rsync: readlink_stat("/some_file" (in some_path)) failed: Permission denied (13)Solution
To resolve the above issue, turn on the following SELinux Booleans.
- rsync_client to allow rsync client to run ssh
- rsync_export_all_ro to allow rsync to access (read-only) all
# setsebool -P rsync_export_all_ro 1
# setsebool -P rsync_client 1If another SELinux restricted process (such as an initrc script or another application) starts rsync, the resulting process will also be confined to the rsync_t context.
This context does not allow the ssh command to be run by default, and it can only read files in a few specified security contexts, such as rsync data_t and public_content_t.
Check the audit logs for rsync errors.
# ausearch -m avc -i -c rsyncUse audit2allow to identify which boolean needs to be activated.
# ausearch -m avc -i -c rsync | audit2allow
#============= rsync_t ==============
#!!!! This avc can be allowed using the boolean 'rsync_client'
allow rsync_t ssh_exec_t:file execute;
#!!!! This avc can be allowed using one of the these booleans:
# rsync_export_all_ro, rsync_full_access
allow rsync_t unlabeled_t:dir search;Check the current value of the following rsync booleans.
# getsebool -a | grep rsync_
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_full_access --> off
rsync_sys_admin --> off
Leave a Reply
You must be logged in to post a comment.