After a considerable amount of struggle, I have managed to beat SELinux/rsync/Fedora 11 into submission and my chapter in managing-confined-services about running rsync on a non-standard port is just about done.

Start with properly labeled files to share (public_content_rw_t). Create a custom init script from scratch to launch rsync as a daemon as there is none shipped in the F11 distro. The script itself needs to be properly labeled as initrc_exec_t so that the rsync daemon will launch as rsync_t. If the rsync daemon doesn’t transition to this, the related Booleans (or SELinux itself) can’t be expected to have much of an effect over rsync.

So, we have a daemon in the rsync_t domain. Modify rsyncd.conf so it has a non-default port directive, which looks something like port = 10000 (in the global section of the file). Now, after starting rsync from the new init script again, SELinux will not at all be impressed that rsync has started on a port that it doesn’t expect (ie. a port that is not defined in rsync_port_t). Give up now? Never! Run:

# semanage port -a -t rsync_port_t -p tcp 10000

Still with me?

That command will appease SELinux (fussy little thing, huh?) and rsync will happily start on 10000.

This has been a pretty long battle to distill all this information from disparate sources online, IRC support channels, mailing lists and of course good old-fashioned google-fu. The world of SELinux can be quite arcane and this book is unique in that it covers real-world examples of how to enable services an administrator might configure and how to work around the problems that are commonly encountered. Let’s just say I kept finding my own book in google when searching for solutions!

Once I had all the details gathered it was a pretty quick task to get it all in XML, ready for proof-reading and minor editing. It’s become apparent to me that depending on your subject, perhaps you won’t spend so much time actually writing. This rsync adventure required a working lab setup, fully tested and confirmed and repeated before I even opened a para tag. Have everything ready, research your subject, make sure you have at least a decent outline and some sort of progression of how it will look, and the actual flow of information tends to go pretty quickly from then on.


