dump/restore and SElinux security context problem
Tony Nelson
tonynelson at georgeanelson.com
Mon Apr 24 02:18:19 UTC 2006
At 6:44 PM -0700 4/23/06, Kayvan A. Sylvan wrote:
>On Sun, Apr 23, 2006 at 02:39:43PM -0400, Tony Nelson wrote:
>> At 8:06 PM -0700 4/22/06, Kayvan A. Sylvan wrote:
>> >I used "dump" to create a snapshot of a filesystem, then, using
>> >the FC5 DVD to boot into rescue mode, used "restore" to recreate it.
>> >
>> >The problem: during the restore, for every file, I get messages like this:
>> >
>> > restore: lsetxattr ./System.map-2.6.15-1.1833_FC4 failed: Invalid
>> >argument
>>
>> When booting the rescue CD, use the kernel command line:
>>
>> linux rescue enforcing=0
>>
>> along with any other options you need (when I remember, I use "hda=noprobe
>> hdb=noprobe").
>
>This seemed to produce no different effect.
Works for me. What does sestatus say?
>The portion of the dmesg output (when booting the rescue CD) follows:
>
> security: 3 users, 6 roles, 1161 types, 135 bools, 1 sens, 256 cats
> security: 55 classes, 38679 rules
> SELinux: Completing initialization.
> SELinux: Setting up existing superblocks.
> SELinux: initialized (dev loop0, type squashfs), not configured for labeling
> SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
> SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
> SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
> SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
> SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
> SELinux: initialized (dev devpts, type devpts), uses transition SIDs
> SELinux: initialized (dev eventpollfs, type eventpollfs), uses
>genfs_contexts
> SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
> SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
> SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> SELinux: initialized (dev cpuset, type cpuset), not configured for labeling
> SELinux: initialized (dev proc, type proc), uses genfs_contexts
> SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
> SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> audit(1145840702.919:2): avc: denied { transition } for pid=651
>comm="loader" name="bash" dev=loop0 ino=1500
>scontext=system_u:system_r:kernel_t:s0
>tcontext=system_u:system_r:anaconda_t:s0 tclass=process
AIUI, you'll still get "avc: denied" messages in permissive mode.
> [...]
> SELinux: initialized (dev sda1, type ext2), uses xattr
> kjournald starting. Commit interval 5 seconds
> EXT3 FS on sda1, internal journal
> EXT3-fs: mounted filesystem with ordered data mode.
> SELinux: initialized (dev sda1, type ext3), uses xattr
>
>After the restore, the "ls -lZ" output, while still booted in the rescue
>mode, shows this (it's identical for all files):
>
>-rw-r--r-- root root system_u:object_r:file_t:s0
>vmlinuz-2.6.16-1.2069_FC4smp
Hmm, it should be different for different files. In /, I would expect that
there would be several different Types (3rd component) and that /root would
be User (1st component) root.
>Once booted back up in the FC4 system, the same file shows up as:
>
>-rw-r--r-- root root system_u:object_r:unlabeled_t
>vmlinuz-2.6.16-1.2069_FC4smp
Dunno. I hope someone with more SELinux experience reads this.
>By the way, is there a definitive list of boot parameters (like the
>enforcing=0 above) somewhere?
See kernel-parameters.txt in the kernel-doc package.
>I am wondering if I have to have the same SELinux policy loaded while
>in the rescue mode in order to avoid the "lsetxattr: invalid argument"
>error? How would I go about doing that?
I'm not sure, but I think that the lsetxattr errors relate to enabling the
4th (MLS) component of the Security Context in FC5's SELinux. Maybe
they'll work something out.
____________________________________________________________________
TonyN.:' <mailto:tonynelson at georgeanelson.com>
' <http://www.georgeanelson.com/>
More information about the fedora-list
mailing list