On Fri, 2008-10-03 at 07:33 +0000, Mike wrote:
I have for many years run backups from laptops on the local LAN to an
external
USB drive attached to the main desktop machine using rsync -aH.
The main desktop is running F8 with SELinux disabled.
In recent months I upgraded the laptop to F9 with SELinux enabled.
I have just realised that the method I use gives files on the backup drive
that have no selinux contexts... so in the event of having to rebuild a laptop
and pulling files off the backup drive the selinux contexts would have to be
recreated.
I am fairly new to SELinux but I presume that merely adding -X to the rsync
command would still not produce any contexts on the files that are generated
on the backup drive since the machine that is processing the rsync at the
receive end has SELinux disabled.
That is correct. The remote OS does not understand the SELinux
contexts, so you will get many errors when you try the -X option.
At some point the desktop will be upgraded to F9 (and later F10) with
SELinux
enabled - and I am now not sure if attaching the original external USB drive
unchanged would then still result in files without any security contexts on
the external drive?
Be careful using two different operating systems with rsync--if the
local OS is trying to backup to the remote OS, and the remote OS doesn't
know about the contexts on the local OS, you will again have errors.
If this is the case would I need to label the filesystem on the
external drive?
What is the best route to getting this backup system working to preserve
security contexts for all files (including system areas such as /var /etc ?
Before it gets too complex, let me just say that you may be able to
simply use `restorecon -Rv /etc` to restore contexts to everything
in /etc/. This may be the simplest solution.
Baring that, the easiest way to get backups with good contexts is to use
getfattr to store the current contexts to a file. You will be able to
use the file to restore contexts.
If you wanted to backup the SELinux attributes for all files/dirs
in /etc/, for example, run:
getfattr -Rdh -m security.selinux /etc > /etc/SELinux-attrs
If you wanted to restore from backup, do the data restore, then run the
following:
cd /
setfattr -h --restore=/etc/SELinux-attrs
Run `ls -Z /etc/` to verify proper context.
--
Forrest Taylor
Global Learning Services Project Manager III
Cell: 303-913-5169
AIM: forresttaylorred
Red Hat IRC: forrest