2:33 a.m.
I have for many years run backups from laptops on the local LAN to an external
USB drive attached to the main desktop machine using rsync -aH.
The main desktop is running F8 with SELinux disabled.
In recent months I upgraded the laptop to F9 with SELinux enabled.
I have just realised that the method I use gives files on the backup drive
that have no selinux contexts... so in the event of having to rebuild a laptop
and pulling files off the backup drive the selinux contexts would have to be
recreated.
I am fairly new to SELinux but I presume that merely adding -X to the rsync
command would still not produce any contexts on the files that are generated
on the backup drive since the machine that is processing the rsync at the
receive end has SELinux disabled.
At some point the desktop will be upgraded to F9 (and later F10) with SELinux
enabled - and I am now not sure if attaching the original external USB drive
unchanged would then still result in files without any security contexts on
the external drive?
If this is the case would I need to label the filesystem on the external drive?
What is the best route to getting this backup system working to preserve
security contexts for all files (including system areas such as /var /etc ?
Thanks
10:28 a.m.
On Fri, 2008-10-03 at 07:33 +0000, Mike wrote:
I have for many years run backups from laptops on the local LAN to an
external
USB drive attached to the main desktop machine using rsync -aH.
The main desktop is running F8 with SELinux disabled.
In recent months I upgraded the laptop to F9 with SELinux enabled.
I have just realised that the method I use gives files on the backup drive
that have no selinux contexts... so in the event of having to rebuild a laptop
and pulling files off the backup drive the selinux contexts would have to be
recreated.
I am fairly new to SELinux but I presume that merely adding -X to the rsync
command would still not produce any contexts on the files that are generated
on the backup drive since the machine that is processing the rsync at the
receive end has SELinux disabled.
That is correct. The remote OS does not understand the SELinux
contexts, so you will get many errors when you try the -X option.
At some point the desktop will be upgraded to F9 (and later F10) with
SELinux
enabled - and I am now not sure if attaching the original external USB drive
unchanged would then still result in files without any security contexts on
the external drive?
Be careful using two different operating systems with rsync--if the
local OS is trying to backup to the remote OS, and the remote OS doesn't
know about the contexts on the local OS, you will again have errors.
If this is the case would I need to label the filesystem on the
external drive?
What is the best route to getting this backup system working to preserve
security contexts for all files (including system areas such as /var /etc ?
Before it gets too complex, let me just say that you may be able to
simply use `restorecon -Rv /etc` to restore contexts to everything
in /etc/. This may be the simplest solution.
Baring that, the easiest way to get backups with good contexts is to use
getfattr to store the current contexts to a file. You will be able to
use the file to restore contexts.
If you wanted to backup the SELinux attributes for all files/dirs
in /etc/, for example, run:
getfattr -Rdh -m security.selinux /etc > /etc/SELinux-attrs
If you wanted to restore from backup, do the data restore, then run the
following:
cd /
setfattr -h --restore=/etc/SELinux-attrs
Run `ls -Z /etc/` to verify proper context.
--
Forrest Taylor
Global Learning Services Project Manager III
Cell: 303-913-5169
AIM: forresttaylorred
Red Hat IRC: forrest
2:44 p.m.
Forrest Taylor <ftaylor <at> redhat.com> writes:
That is correct. The remote OS does not understand the SELinux
contexts, so you will get many errors when you try the -X option.
OK I have now run some tests to verify that the backup scheme I had
originally hoped would work does indeed work as planned.
I have a pre-existing USB drive formatted ext3 that I have been
regularly using on a main machine running SELinux disabled
as a central backup store for the main directories for several machines
on my LAN for some years.
This disk contains backups for about half a dozen computers in the
local network and I would rather not have to recreate all the files
but use the same drive for SELinux enabled machines as I transition to
the main machine being SELinux enabled.
In order to test viability using the same drive as a backup drive
under SELinux I plugged this disk into a laptop USB port directly.
The laptop is running F9 with SELinux enabled and fully up to date.
The drive plugs in and automagically opens a window in the desktop
under Gnome showing the directories in the drive (in this case just
one /media/usbdisc3/BACKUPS, and the machine subdirectories are within
the BACKUPS directory.
The disk is labelled as usbdisc3 so appears as /media/usbdisc3
I then made a new directory at the top level of this drive called test.
As a first test I copied the file /etc/resolv to this drive from this
machine using the simple command as root:
# rsync -aXHv /etc/resolv.conf /media/usbdisc3/test/
Then I umounted the USB drive and plugged it back in from cold.
The crucial test was to check the file permissions and contexts which
appeared as in the output below:
[mike@lapmike2 ~]$ ll -Z /media/usbdisc3/test/
-rw-r--r-- root root system_u:object_r:net_conf_t:s0 resolv.conf
checking the original file gave:
[mike@lapmike2 ~]$ ll -Z /etc/resolv.conf
-rw-r--r-- root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf
We can see that the permissions, ownership and security contexts have
been preserved in the rsync transfer.
Then I booted up a second machine also running f9 with SElinux enabled
and on that machine did as root:
# rsync -aXHv -e ssh /etc/hosts lapmike2w:/media/usbdisc3/test/
Checking the original file details gave:
[mike@lapmike3 ~]$ ll -Z /etc/hosts
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/hosts
and on the machine on which the backup file now resides we can check
the newly created file:
[mike@lapmike2 ~]$ ll -Z /media/usbdisc3/test/
-rw-r--r-- root root system_u:object_r:etc_t:s0 hosts
-rw-r--r-- root root system_u:object_r:net_conf_t:s0 resolv.conf
So we see that the all the file attributes have been copied across
correctly, and a restore of these files with their extended attributes
can be made using rsync -aXHv from the backup drive onto any machine
as desired.
So this works nicely and the original drive does not need to be
reformatted, nor the file system re-created. Running a backup
overwriting the original one with no security contexts works fine.
5678
days inactive
5681
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Forrest Taylor -
mike cloaked