1 |
Hi, |
2 |
|
3 |
On Sun, Mar 25, 2007 at 05:17:39PM +0100, Justin Heesemann wrote: |
4 |
> since the default role for root is staff_t, who's not allowed (almost) |
5 |
> anything.. |
6 |
> i wonder how to manage to backup stuff to another server. |
7 |
|
8 |
the backup-ed server should run that rsync process in a special domain that allows almost any file being read from the filesystem. |
9 |
|
10 |
for that you can have a rsync binary in a non-standard location, with a new label (say backup_exec_t). staff_t will be allowed to execute and trans to say backup_t. |
11 |
|
12 |
|
13 |
type backup_t, domain, privlog, auth_chkpwd, auth; |
14 |
type backup_exec_t, file_type, sysadmfile; |
15 |
role staff_r types backup_t; |
16 |
|
17 |
domain_auto_trans(staff_t, backup_exec_t, backup_t); |
18 |
|
19 |
allow backup_t { file_type -shadow_t -portage_fetch_tmp_t -sysfs_t }:file { getattr read }; |
20 |
allow backup_t { file_type }:lnk_file { getattr read }; |
21 |
allow backup_t { file_type }:fifo_file getattr; |
22 |
allow backup_t { file_type }:sock_file getattr; |
23 |
allow backup_t { file_type -mnt_t -proc_t -sysfs_t }:dir { getattr read search }; |
24 |
|
25 |
[..] |
26 |
|
27 |
|
28 |
you only have to make sure that no wrongdoers can execute that special rsync binary of yours or you have a serious security problem. |
29 |
|
30 |
the destination labels are not important, since the stock rsync does not also take extended filesystem attributes into account. |
31 |
|
32 |
> |
33 |
> localhost home # rsync --dry-run jh root@backup-server:/home/jh |
34 |
> Password: |
35 |
> bash: /root/.bashrc: Permission denied |
36 |
> skipping directory jh |
37 |
> rsync: ERROR: cannot stat destination "/home/jh": Permission denied (13) |
38 |
> rsync error: errors selecting input/output files, dirs (code 3) at |
39 |
> main.c(507) [receiver=2.6.9] |
40 |
> rsync: connection unexpectedly closed (8 bytes received so far) [sender] |
41 |
> rsync error: error in rsync protocol data stream (code 12) at io.c(453) |
42 |
> [sender=2.6.9] |
43 |
> |
44 |
> |
45 |
> i'm open for any ideas.. |
46 |
> both "localhost" and "backup-server" are protected by selinux. |
47 |
> |
48 |
> |
49 |
> -- |
50 |
> Best Regards, |
51 |
> Justin |
52 |
> -- |
53 |
> gentoo-hardened@g.o mailing list |
54 |
> |
55 |
|
56 |
bye, |
57 |
peter |
58 |
|
59 |
-- |
60 |
petre rodan |
61 |
<kaiowas@g.o> |
62 |
Developer, |
63 |
Hardened Gentoo Linux |