rsync: Failed to exec ssh: Permission denied (13)

When another SELinux confined process starts rsync, it fails with the following error.

rsync: Failed to exec ssh: Permission denied (13)

The following error may appear in some cases.

rsync: readlink_stat("/some_file" (in some_path)) failed: Permission denied (13)

To resolve the above issue, turn on the following SELinux Booleans.

  • rsync_client to allow rsync client to run ssh
  • rsync_export_all_ro to allow rsync to access (read-only) all
# setsebool -P rsync_export_all_ro 1
# setsebool -P rsync_client 1

If another SELinux restricted process (such as an initrc script or another application) starts rsync, the resulting process will also be confined to the rsync_t context.
This context does not allow the ssh command to be run by default, and it can only read files in a few specified security contexts, such as rsync data_t and public_content_t.

Check the audit logs for rsync errors.

# ausearch -m avc -i -c rsync

Use audit2allow to identify which boolean needs to be activated.

# ausearch -m avc -i -c rsync | audit2allow

#============= rsync_t ==============

#!!!! This avc can be allowed using the boolean 'rsync_client'
allow rsync_t ssh_exec_t:file execute;

#!!!! This avc can be allowed using one of the these booleans:
#     rsync_export_all_ro, rsync_full_access
allow rsync_t unlabeled_t:dir search;

Check the current value of the following rsync booleans.

# getsebool -a | grep rsync_

rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_full_access --> off
rsync_sys_admin --> off

Leave a Reply