Re: [rdiff-backup-users] [Fwd: Re: selinux and rdiff-backup]

[Andrew Ferguson]

On Jul 16, 2008, at 10:58 AM, Farkas Levente wrote:
> hi,
> after a discussion with daniel i forward his mail to here. the main  
> question the /usr/lib/python2.4/site-packages/rdiff_backup/ 
> _librsync.so file which requires textrel_shlib_t (why?) and cause  
> problem in case of selinux (bad default file content and memory  
> protection problems).
> so why we need this? other *.so files under /usr/lib/python2.?/site- 
> packages/ has only lib_t security context type. why rdiff-backup  
> need textrel_shlib_t?

This is not an rdiff-backup bug. I have been able to reproduce it on a  
test system.

The problem is due to librsync. I believe on your computer, but  
perhaps on Daniel's computer. Did you build librsync yourself? Or  
install it from RPM?

Here is the problem: by default, librsync only builds a *static*  
library (librsync.a), not a dynamic library (librsync.so.1.0.2). Thus,  
when you build rdiff-backup on such a system, the dynamic _librsync.so  
library is forced to rely upon the static librsync library, which it  
loads by doing the text relocation. SELinux disallows this relocation  
under the default policy, leading to the trouble that you observed.

The solution to this is simple: simply recompile librsync and add the  
"--enable-shared" option to ./configure. See the output of "./ 
configure --help" when building librsync for more info. After you  
recompile librsync, then rebuild rdiff-backup and the new _librsync.so  
library will not require any SELinux commands.

If you installed librsync from RPM, complain to whoever provided the  
RPM.


So, why is librsync's configure script so bone-headed? Probably  
because it hasn't had a release in nearly four years. :-/


Andrew