Mojave rsync full disk access failure
Just upgraded to Mojave and now my cron-initiated backup scripts (running as root) which call rsync are failing on many files which I assume are protected by the new full disk access (FDA) restrictions:
rsync: opendir "/Users/uname/Library/Messages" failed: Operation not permitted (1)
...
When I run the same scripts manually from Terminal, to which I have granted FDA rights via System Preferences, all works fine, but I need cron control. Seems like my options are (i) manually exclude all offending files from the rsync dump via rsync's --exclude options (I can live with this for now although it doesn't give me a full backup), or (ii) grant FDA to rsync (or cron) directly.
Option #1 looks to be incredibly tedious as there are now many FDA-restricted files in ~uname/Library and I am sure the list will only get bigger with each macOS update, so I'd like to grant rsync FDA permission. How do I do this? It appears that SysPref will only allow FDA additions via its Finder-ish chooser dialog UI, to which the /usr/bin/rsync binary is invisible. Is there a command-line solution to granting FDA to arbitrary binaries which can't be selected via the SysPref UI? I suppose I could try to unhide both /usr and /usr/bin but that seems a bit overkill. Or maybe add a symlink to /usr/bin/rsync from Applications, but I could see that perhaps not working properly?
Also, how can you tell which files are restricted by FDA? I can see no special ACLs or access flags set on any of the restricted files, e.g., ~uname/Library/Messages. I also do not see these files listed in /System/Library/Sandbox/rootless.conf.
Finally, this is a multi-user system, so is it necessary for each user to grant FDA to rsync, however that might be accomplished? Or is it sufficient to do this from just one admin-class user? As noted above cron (and thus rsync) are actually being run as root as it needs access to files of all users, so is that a problem with respect to granting FDA?
And, double-finally, I assume that completely disabling SIP would fix this? I would really prefer not to go that route but if Apple continues to make things more and more difficult in this regard I will see that as an increasingly attractive option.
Thanks!
PS: Thanks in advance for all possible launchd vs. cron exhortations, but unless the use of launchd can fix this particular problem I am not interested in converting at the moment.