dump/restore selinux query

Daniel J Walsh dwalsh at redhat.com
Wed Oct 3 11:40:54 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2012 05:19 AM, John Austin wrote:
> On Mon, 2012-10-01 at 09:14 -0400, Daniel J Walsh wrote:
>> On 10/01/2012 07:10 AM, John Austin wrote:
>>> Hi
>>> 
>>> I have recently used a bootable F17 memory stick (fully updated) to 
>>> dump/restore an un-mounted Centos 6.3 system root (/) partition to a 
>>> "clone" backup partition on a separate disk.
>>> 
>>> I obtain SELinux error messages during the restore phase
>>> 
>>> Does anyone (Daniel?) know:
>>> 
>>> Will this be a problem if/when I need to use the backup?
>>> 
>>> Regards
>>> 
>>> John
>>> 
>> Most likely the target OS did not understand the labels that you are
>> trying to install.  So if you took labels off a F17 machine and tried to
>> put them on a RHEL6 box, the labels might not be defined.
> 
> 
> Hmmm - repeated the exercise booted from a fully updated C6.3 memory stick
> and the errors are not present during restore. (ie dumped/restored system
> and booted OS are both C6.3 with the same update level)
> 
> This implies that you must use a contemporaneous version of the operating
> system (including dump/restore) to that of the actual backed up root
> partition.
> 
> Obviously I do not fully understand/accept what is happening here! So a
> couple more basic questions
> 
> Does this mean I have to put aside the memory stick in its current state
> (no upgrade to C6.4 say) so that I can use it as the boot device during any
> subsequent restore of the backed up partitions?
> 
> OR
> 
> Will the relabelling of a restored root partition (that has selinux errors
> during the restore) (when booted from that restored partition) provide a
> "perfect" working system?
> 
> Thanks again
> 
> John
> 
I would always suggest relabeling after you restore a system.  Restore sets
everything back to the default layout as currently defined in policy.  While I
understand the goal of restoring the labels from a backed up partition, it is
not always the correct thing to do.  Since the policy on the system might have
changed since the backup.

For example say you backed up your homedir and saved the labels.  A
selinux-policy update happens or an admin changes the labels of a particular
directory in the homedir.  Now you later restore the backup over the homedir.
 Now the labels of the homedir do not match the system defaults.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBsJEYACgkQrlYvE4MpobPoegCguV8GglSWikVd5gXkg24U0i2T
JzMAoMl2ygYCYe6/xRQiAVcnyCEqQ2Oj
=AsOD
-----END PGP SIGNATURE-----

More information about the users mailing list