Here is a quick and useful tip on how to run a rsync daemon under CentOS 8 with SELinux in Enforcing mode.
There are three basic steps:
- rsync daemon installation and configuration.
- firewall configuration.
- SELinux configuration.
STEP 1) rsync daemon installation and configuration.
Under CentOS 8 rsync daemon files are in a separate rpm package rsync-daemon (more on the subject rsync daemon in CentOS 8):
[root@srv ~]# dnf install -y rsync-daemon Last metadata expiration check: 2:45:48 ago on Thu Apr 7 07:40:42 2022. Dependencies resolved. ============================================================================================================== Package Architecture Version Repository Size ============================================================================================================== Installing: rsync-daemon noarch 3.1.3-14.el8 baseos 43 k Transaction Summary ============================================================================================================== Install 1 Package Total download size: 43 k Installed size: 17 k Downloading Packages: rsync-daemon-3.1.3-14.el8.noarch.rpm 98 kB/s | 43 kB 00:00 -------------------------------------------------------------------------------------------------------------- Total 81 kB/s | 43 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : rsync-daemon-3.1.3-14.el8.noarch 1/1 Running scriptlet: rsync-daemon-3.1.3-14.el8.noarch 1/1 Verifying : rsync-daemon-3.1.3-14.el8.noarch 1/1 Installed: rsync-daemon-3.1.3-14.el8.noarch Complete!
The configuration is in /etc/rsyncd.conf and it is simple enough, just append to the end of the configuration file the following lines:
hosts allow = 192.168.0.2
hosts deny = *
[storage]
read only = yes
path = /mnt/storage
comment = storage
uid=0
gid=0
Of course, check if the hosts allow and hosts deny are present in the current configuration and just add the IP of the client to this list separated with a comma.
The shared directory is /mnt/storage, but it could be even “/”, i.e. the root of the filesystem tree.
Start the rsync daemon and check if it is running properly:
[root@srv ~]# systemctl start rsyncd
[root@srv ~]# systemctl status rsyncd
● rsyncd.service - fast remote file copy program daemon
Loaded: loaded (/usr/lib/systemd/system/rsyncd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2022-04-07 08:19:50 UTC; 4s ago
Main PID: 950697 (rsync)
Tasks: 1 (limit: 409567)
Memory: 800.0K
CGroup: /system.slice/rsyncd.service
└─950697 /usr/bin/rsync --daemon --no-detach
STEP 2) Configure the CentOS 8 firewall.
CentOS 8 uses firewallD daemon, which could be controlled by the cli command utility firewall-cmd. The following line is enough to allow an IP to connect to the running rsync daemon on 873 port (the default rsync daemon port).
[root@srv ~]# firewall-cmd --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.0.2" port protocol="tcp" port="873" accept" success
The 192.168.0.2 would be allowed to connect to the rsync daemon.
If it is needed for this option to be persistent an additional option “–permanent” should be added and a reload command issued:
[root@srv ~]# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.0.2" port protocol="tcp" port="873" accept" success [root@srv ~]# firewall-cmd --reload success
STEP 3) SELinux configuration.
When the SELinux is enabled and is in Enforcing mode there are several rsync SELinux options, which should be considered. In fact, to configure SELinux to allow rsync daemon to access the file system, at least rsync_export_all_ro should be enabled:
[root@srv ~]# setsebool -P rsync_export_all_ro 1
“-P” means the option is persistent over reboots.
There are more options like exporting the rsync to be writable by the rsync daemon and so on:
[root@srv ~]# getsebool -a|grep rsync postgresql_can_rsync --> off rsync_anon_write --> off rsync_client --> off rsync_export_all_ro --> on rsync_full_access --> off rsync_sys_admin --> off
STEP 4) rsync client command to sync a content.
Here is an example client rsync command, which synchronizes a directory (192.168.0.1::storage/files/) from a remote server to a local directory (/mnt/storage/files/).
[root@srv ~]# rsync --verbose --progress --stats --recursive --times --perms --links --owner --group --hard-links --devices --specials 192.168.0.1::storage/files/ /mnt/storage/files/
The command enables multiple options to preserve the users, groups, permissions, times, and more.
Troubleshooting
[root@srv ~]# rsync --verbose --progress --stats --recursive --times --perms --links --owner --group --hard-links --devices --specials 192.168.0.1::storage/files/ /mnt/storage/files/ receiving incremental file list rsync: change_dir "/mnt/storage/files" (in storage) failed: Permission denied (13) Number of files: 0 Number of created files: 0 Number of deleted files: 0 Number of regular files transferred: 0 Total file size: 0 bytes Total transferred file size: 0 bytes Literal data: 0 bytes Matched data: 0 bytes File list size: 94 Total bytes sent: 8 Total bytes received: 94 sent 8 bytes received 94 bytes 68.00 bytes/sec total size is 0 speedup is 0.00 rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1663) [Receiver=3.1.3] rsync: read error: Connection reset by peer (104)
The error is because SELinux prevents rsync daemon to access the /mnt/storage/files directory. After enabling the rsync_export_all_ro the error disappears and the rsync starts the synchronizing the directories.