[Bug 8201] New: rsync 3.0.8 destroys SELinux security context of symbolic links
samba-bugs at samba.org
samba-bugs at samba.org
Wed Jun 1 09:53:48 MDT 2011
https://bugzilla.samba.org/show_bug.cgi?id=8201
Summary: rsync 3.0.8 destroys SELinux security context of
symbolic links
Product: rsync
Version: 3.0.8
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: core
AssignedTo: wayned at samba.org
ReportedBy: martin.wilck at ts.fujitsu.com
QAContact: rsync-qa at samba.org
Description of problem:
P2V conversion of a F14 installation: used rsync -aHAXx to duplicate file
systems from physical to virtual host.
Version-Release number of selected component (if applicable):
rsync-3.0.8-1.fc14.x86_64
How reproducible:
always
Steps to Reproduce:
Physical-2-Virtual conversion of a F14 installation: used rsync -aHAXx to
duplicate file systems from physical to virtual host.
Actual results:
on source:
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 /lib64/libc.so.6 ->
libc-2.13.so
on target:
lrwxrwxrwx. root root unconfined_u:object_r:file_t:s0 /lib64/libc.so.6 ->
libc-2.13.so
These changed security contexts for symlinks cause the boot of the newly
created VM to fail unless boot parameter selinux=0 is used.
Expected results:
Newly created VM bots nicely
Additional info:
Reproducer:
mkdir SRC
touch SRC/file
ln -s file SRC/link
chcon -h system_u:object_r:lib_t:s0 SRC/*
ls -Z SRC
-rw-r--r--. root root system_u:object_r:lib_t:s0 file
lrwxrwxrwx. root root system_u:object_r:lib_t:s0 link -> file
mkdir TGT
rsync -aHAXx SRC/ TGT
ls -Z TGT
-rw-r--r--. root root system_u:object_r:lib_t:s0 file
lrwxrwxrwx. root root unconfined_u:object_r:user_tmp_t:s0 link -> file
This seems to have been a deliberate change in rsync:
commit 9d6fe1a6f0233c7567dfb114835751aff85a578b
Author: Wayne Davison <wayned at samba.org>
Date: Mon Jan 3 11:07:47 2011 -0800
Avoid reading ACL/xattr info on filetypes not being copied.
Make Linux avoid xattr access on symlinks.
Make OS X avoid xattr access on device/special files.
Fixes bug 5458.
https://bugzilla.samba.org/show_bug.cgi?id=5458
https://bugzilla.samba.org/show_bug.cgi?id=7109
The reason given for this change was a reference to the attr(5) man page:
"For this reason, extended user attributes are only allowed for regular files
and directories, ...".
However, that section applies to *user* attributes only.
The changes made so rsync affect all attribute name spaces, including security
attributes, and apply even if rsync is run by the super user. This is quite
obviously wrong.
https://bugzilla.redhat.com/show_bug.cgi?id=709779
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the rsync
mailing list