Sample Header Ad - 728x90

rsync_xal_set: lremovexattr("/my/path/file.zPXUj1","security.selinux") failed: Permission denied (13)

7 votes
1 answer
5655 views
permissions fedora rsync selinux
I am currently migrating from Ubuntu 20.04 to Fedora 34. Following backup script has worked fine so far: 
rsync                        \
  -avixXEH                   \
  --stats                    \
  --delete                   \
  --numeric-ids              \
  --log-file="$LOG_FILE"     \
  --link-dest "$LATEST"      \
  --exclude '/some/exclude'  \
  admin@nas:/{a,b,c}         \ # source is remote nas (via ssh)
  "$TARGET"                  \ # $TARGET is ext. USB disk on fedora OS desktop
Unfortunately on Fedora, every copied path now results in a warning, polluting the log: > rsync_xal_set: lremovexattr("/my/path/file.zPXUj1","security.selinux") failed: Permission denied (13) ## Research This seems to be an issue with rsync wanting to preserve/erase extended attributes (-X) and SELinux. Recent quote from Michal Ruprich, Red Hat: > This was 'fixed' in RHEL5 by suppressing the error message so that it does not disrupt running systems. [...] > > "rsync-2.6 does not remove extended attribute of target file in the case that this attribute has been erased in the source file. Lets call it bug. > > rsync-3.0 correctly tries to remove erased extended attributes. > > If the selinux is present on the target system, rsync can't erase security context of file and it outputs mentioned error. The behaviour of 2.6 and 3.0 is therefore identical except the informational error message." Using rsync 3.2.3 with a non-SELinux source, my interpretation is - please correct me otherwise: Copying files from a source without SELinux to a target using this security feature is interpreted as deleting the extended "security.selinux" file attribute. And rsync cannot remove it due to SELinux security restrictions on the target. Which raises the question: ## How to suppress these warnings? I still would like to copy extended attributes with -X and *not* temporarily disable complete SELinux as suggested here . Also, stumbled over an alternative that suggests setsebool -P rsync_full_access 1 - not sure, what that does exactly. It really would be nice to solve the problem at its root only for this particular case: Given USB disk mount point /run/media/user/, is there some way to grant necessary permissions in SELinux just for this path or similar? Thanks in advance
Asked by grisha (71 rep)
May 4, 2021, 07:09 PM
Last activity: Jul 16, 2025, 11:06 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "permissions"
More questions tagged "fedora"
More questions tagged "rsync"
Footer Ad - 728x90