SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you must tell SELinux how you are running services. The following Booleans allow you to tell SELinux how you are running rsync:
allow_rsync_anon_write
Having this Boolean enabled allows rsync
in the rsync_t domain to manage files, links and directories that have a type of public_content_rw_t. Often these are public files used for public file transfer services. Files and directories must be labeled public_content_rw_t
.
rsync_client
Having this Boolean enabled aloows rsync
to initiate connections to ports defined as rsync_port_t, as well as allowing rsync
to manage files, links and directories that have a type of rsync_data_t. Note that the rsync
daemon must be in the rsync_t domain in order for SELinux to enact its control over rsync
. The configuration example in this chapter demonstrates rsync
running in the rsync_t domain.
rsync_export_all_ro
Having this Boolean enabled allows rsync
in the rsync_t domain to export NFS and CIFS file systems with read-only access to clients.