found 5 alerts in /root/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/ssh from execute access on the file /lib64/ld-linux-x86-64.so.2. ***** Plugin restorecon (92.2 confidence) suggests ************************ If you want to fix the label. /lib64/ld-linux-x86-64.so.2 default label should be ld_so_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /lib64/ld-linux-x86-64.so.2 ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow rsync to run as a client Then you must tell SELinux about this by enabling the 'rsync_client' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_client 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that ssh should be allowed execute access on the ld-linux-x86-64.so.2 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ssh' --raw | audit2allow -M my-ssh # semodule -X 300 -i my-ssh.pp Additional Information: Source Context system_u:system_r:rsync_t:s0 Target Context system_u:object_r:ssh_exec_t:s0 Target Objects /lib64/ld-linux-x86-64.so.2 [ file ] Source ssh Source Path /usr/bin/ssh Port Host Source RPM Packages openssh-clients-8.0p1-5.el8.x86_64 Target RPM Packages glibc-2.28-127.el8.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name glustera.localdomain Platform Linux glustera.localdomain 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-12-30 17:15:38 EET Last Seen 2020-12-30 17:15:44 EET Local ID 05a086c4-a790-4ac6-acc0-8c3cf89449b3 Raw Audit Messages type=AVC msg=audit(1609341344.617:2515): avc: denied { execute } for pid=9926 comm="rsync" name="ssh" dev="dm-0" ino=58937640 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1609341344.617:2515): avc: denied { read open } for pid=9926 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=58937640 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1609341344.617:2515): avc: denied { execute_no_trans } for pid=9926 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=58937640 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1609341344.617:2515): avc: denied { map } for pid=9926 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=58937640 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1609341344.617:2515): arch=x86_64 syscall=execve success=yes exit=0 a0=7ffe31ce3ed0 a1=7ffe31ce40c0 a2=7ffe31ce71b0 a3=7ffe31ce8f00 items=1 ppid=9922 pid=9926 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ssh exe=/usr/bin/ssh subj=system_u:system_r:rsync_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root type=CWD msg=audit(1609341344.617:2515): cwd=/tmp/gsyncd-aux-mount-nzv5mi1c type=PATH msg=audit(1609341344.617:2515): item=0 name=/lib64/ld-linux-x86-64.so.2 inode=29360488 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root Hash: ssh,rsync_t,ssh_exec_t,file,execute -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/ssh from search access on the directory /var/lib/glusterd/geo-replication/secret.pem. ***** Plugin rsync_data (37.5 confidence) suggests ************************ If secret.pem should be shared via the RSYNC daemon Then you need to change the label on secret.pem Do # semanage fcontext -a -t rsync_data_t '/var/lib/glusterd/geo-replication/secret.pem' # restorecon -v '/var/lib/glusterd/geo-replication/secret.pem' ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow rsync to export any files/directories read only. Then you must tell SELinux about this by enabling the 'rsync_export_all_ro' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_export_all_ro 1 ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow rsync server to manage all files/directories on the system. Then you must tell SELinux about this by enabling the 'rsync_full_access' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_full_access 1 ***** Plugin catchall (4.20 confidence) suggests ************************** If you believe that ssh should be allowed search access on the secret.pem directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ssh' --raw | audit2allow -M my-ssh # semodule -X 300 -i my-ssh.pp Additional Information: Source Context system_u:system_r:rsync_t:s0 Target Context system_u:object_r:glusterd_var_lib_t:s0 Target Objects /var/lib/glusterd/geo-replication/secret.pem [ dir ] Source ssh Source Path /usr/bin/ssh Port Host Source RPM Packages openssh-clients-8.0p1-5.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name glustera.localdomain Platform Linux glustera.localdomain 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-12-30 17:15:38 EET Last Seen 2020-12-30 17:15:39 EET Local ID e06fcbc6-9fbe-4a52-8e5f-4a202c16279b Raw Audit Messages type=AVC msg=audit(1609341339.745:2514): avc: denied { search } for pid=9854 comm="ssh" name="glusterd" dev="dm-0" ino=8442715 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:glusterd_var_lib_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1609341339.745:2514): arch=x86_64 syscall=stat success=yes exit=0 a0=5574f340f220 a1=7ffe72d0e4a0 a2=7ffe72d0e4a0 a3=1 items=1 ppid=9852 pid=9854 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ssh exe=/usr/bin/ssh subj=system_u:system_r:rsync_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root type=PATH msg=audit(1609341339.745:2514): item=0 name=/var/lib/glusterd/geo-replication/secret.pem inode=4707507 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:glusterd_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root Hash: ssh,rsync_t,glusterd_var_lib_t,dir,search -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/ssh from search access on the directory .ssh. ***** Plugin rsync_data (37.5 confidence) suggests ************************ If .ssh should be shared via the RSYNC daemon Then you need to change the label on .ssh Do # semanage fcontext -a -t rsync_data_t '.ssh' # restorecon -v '.ssh' ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow rsync to export any files/directories read only. Then you must tell SELinux about this by enabling the 'rsync_export_all_ro' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_export_all_ro 1 ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow rsync server to manage all files/directories on the system. Then you must tell SELinux about this by enabling the 'rsync_full_access' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_full_access 1 ***** Plugin catchall (4.20 confidence) suggests ************************** If you believe that ssh should be allowed search access on the .ssh directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ssh' --raw | audit2allow -M my-ssh # semodule -X 300 -i my-ssh.pp Additional Information: Source Context system_u:system_r:rsync_t:s0 Target Context system_u:object_r:ssh_home_t:s0 Target Objects .ssh [ dir ] Source ssh Source Path /usr/bin/ssh Port Host Source RPM Packages openssh-clients-8.0p1-5.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name glustera.localdomain Platform Linux glustera.localdomain 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-12-30 17:15:38 EET Last Seen 2020-12-30 17:15:38 EET Local ID f49988cd-3dea-41dd-aa33-9521d013870a Raw Audit Messages type=AVC msg=audit(1609341338.226:2513): avc: denied { search } for pid=9826 comm="ssh" name=".ssh" dev="dm-0" ino=37748868 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1609341338.226:2513): arch=x86_64 syscall=openat success=no exit=ENOENT a0=ffffff9c a1=7fff5dced520 a2=0 a3=0 items=0 ppid=9825 pid=9826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ssh exe=/usr/bin/ssh subj=system_u:system_r:rsync_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root Hash: ssh,rsync_t,ssh_home_t,dir,search -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/ssh from search access on the directory /tmp/gsyncd-aux-ssh-tnwpw5tx/274d5d142b02f84644d658beaf86edae.sock. ***** Plugin rsync_data (37.5 confidence) suggests ************************ If 274d5d142b02f84644d658beaf86edae.sock should be shared via the RSYNC daemon Then you need to change the label on 274d5d142b02f84644d658beaf86edae.sock Do # semanage fcontext -a -t rsync_data_t '/tmp/gsyncd-aux-ssh-tnwpw5tx/274d5d142b02f84644d658beaf86edae.sock' # restorecon -v '/tmp/gsyncd-aux-ssh-tnwpw5tx/274d5d142b02f84644d658beaf86edae.sock' ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow rsync to export any files/directories read only. Then you must tell SELinux about this by enabling the 'rsync_export_all_ro' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_export_all_ro 1 ***** Plugin catchall_boolean (30.1 confidence) suggests ****************** If you want to allow rsync server to manage all files/directories on the system. Then you must tell SELinux about this by enabling the 'rsync_full_access' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_full_access 1 ***** Plugin catchall (4.20 confidence) suggests ************************** If you believe that ssh should be allowed search access on the 274d5d142b02f84644d658beaf86edae.sock directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ssh' --raw | audit2allow -M my-ssh # semodule -X 300 -i my-ssh.pp Additional Information: Source Context system_u:system_r:rsync_t:s0 Target Context system_u:object_r:glusterd_tmp_t:s0 Target Objects /tmp/gsyncd-aux-ssh- tnwpw5tx/274d5d142b02f84644d658beaf86edae.sock [ dir ] Source ssh Source Path /usr/bin/ssh Port Host Source RPM Packages openssh-clients-8.0p1-5.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name glustera.localdomain Platform Linux glustera.localdomain 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-12-30 17:15:38 EET Last Seen 2020-12-30 17:15:38 EET Local ID b8c177e4-168d-4ce4-9a31-cb16d9de051a Raw Audit Messages type=AVC msg=audit(1609341338.117:2511): avc: denied { search } for pid=9821 comm="ssh" name="gsyncd-aux-ssh-tnwpw5tx" dev="dm-0" ino=50479414 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:glusterd_tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1609341338.117:2511): avc: denied { write } for pid=9821 comm="ssh" name="274d5d142b02f84644d658beaf86edae.sock" dev="dm-0" ino=50479417 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:glusterd_tmp_t:s0 tclass=sock_file permissive=1 type=SYSCALL msg=audit(1609341338.117:2511): arch=x86_64 syscall=connect success=yes exit=0 a0=5 a1=7ffcbe20d810 a2=6e a3=1 items=1 ppid=9820 pid=9821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ssh exe=/usr/bin/ssh subj=system_u:system_r:rsync_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root type=PATH msg=audit(1609341338.117:2511): item=0 name=/tmp/gsyncd-aux-ssh-tnwpw5tx/274d5d142b02f84644d658beaf86edae.sock inode=50479417 dev=fd:00 mode=0140600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:glusterd_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root Hash: ssh,rsync_t,glusterd_tmp_t,dir,search -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/rsync from search access on the directory .gfid/00000000-0000-0000-0000-000000000001. ***** Plugin rsync_data (29.0 confidence) suggests ************************ If 00000000-0000-0000-0000-000000000001 should be shared via the RSYNC daemon Then you need to change the label on 00000000-0000-0000-0000-000000000001 Do # semanage fcontext -a -t rsync_data_t '.gfid/00000000-0000-0000-0000-000000000001' # restorecon -v '.gfid/00000000-0000-0000-0000-000000000001' ***** Plugin catchall_boolean (23.3 confidence) suggests ****************** If you want to support fusefs home directories Then you must tell SELinux about this by enabling the 'use_fusefs_home_dirs' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P use_fusefs_home_dirs 1 ***** Plugin catchall_boolean (23.3 confidence) suggests ****************** If you want to allow rsync to export any files/directories read only. Then you must tell SELinux about this by enabling the 'rsync_export_all_ro' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_export_all_ro 1 ***** Plugin catchall_boolean (23.3 confidence) suggests ****************** If you want to allow rsync server to manage all files/directories on the system. Then you must tell SELinux about this by enabling the 'rsync_full_access' boolean. You can read 'rsync_selinux' man page for more details. Do setsebool -P rsync_full_access 1 ***** Plugin catchall (3.35 confidence) suggests ************************** If you believe that rsync should be allowed search access on the 00000000-0000-0000-0000-000000000001 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rsync' --raw | audit2allow -M my-rsync # semodule -X 300 -i my-rsync.pp Additional Information: Source Context system_u:system_r:rsync_t:s0 Target Context system_u:object_r:fusefs_t:s0 Target Objects .gfid/00000000-0000-0000-0000-000000000001 [ dir ] Source rsync Source Path /usr/bin/rsync Port Host Source RPM Packages rsync-3.1.3-9.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name glustera.localdomain Platform Linux glustera.localdomain 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-12-30 17:15:38 EET Last Seen 2020-12-30 17:15:38 EET Local ID 85434c67-e802-4d1a-8c2e-a2e8c7f7cc85 Raw Audit Messages type=AVC msg=audit(1609341338.169:2512): avc: denied { search } for pid=9820 comm="rsync" name="/" dev="fuse" ino=1 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1609341338.169:2512): avc: denied { getattr } for pid=9820 comm="rsync" path="/tmp/gsyncd-aux-mount-1jdu4tiw/.gfid/00000000-0000-0000-0000-000000000001" dev="fuse" ino=11738325272634070624 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1609341338.169:2512): arch=x86_64 syscall=lstat success=yes exit=0 a0=7ffc484c6910 a1=7ffc484c6880 a2=7ffc484c6880 a3=7ffc484c6690 items=1 ppid=9546 pid=9820 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rsync exe=/usr/bin/rsync subj=system_u:system_r:rsync_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root type=PATH msg=audit(1609341338.169:2512): item=0 name=.gfid/00000000-0000-0000-0000-000000000001 inode=11738325272634070624 dev=00:30 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:fusefs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID=root OGID=root Hash: rsync,rsync_t,fusefs_t,dir,search