When another SELinux confined process starts rsync, it fails with the following error.
rsync: Failed to exec ssh: Permission denied (13)
The following error may appear in some cases.
rsync: readlink_stat("/some_file" (in some_path)) failed: Permission denied (13)
To resolve the above issue, turn on the following SELinux Booleans.
- rsync_client to allow rsync client to run ssh
- rsync_export_all_ro to allow rsync to access (read-only) all
# setsebool -P rsync_export_all_ro 1 # setsebool -P rsync_client 1
If another SELinux restricted process (such as an initrc script or another application) starts rsync, the resulting process will also be confined to the rsync_t context.
This context does not allow the ssh command to be run by default, and it can only read files in a few specified security contexts, such as rsync data_t and public_content_t.
Check the audit logs for rsync errors.
# ausearch -m avc -i -c rsync
Use audit2allow to identify which boolean needs to be activated.
# ausearch -m avc -i -c rsync | audit2allow #============= rsync_t ============== #!!!! This avc can be allowed using the boolean 'rsync_client' allow rsync_t ssh_exec_t:file execute; #!!!! This avc can be allowed using one of the these booleans: # rsync_export_all_ro, rsync_full_access allow rsync_t unlabeled_t:dir search;
Check the current value of the following rsync booleans.
# getsebool -a | grep rsync_ rsync_anon_write --> off rsync_client --> off rsync_export_all_ro --> off rsync_full_access --> off rsync_sys_admin --> off