[FW: Re: dump/restore and SElinux security context problem]

Kayvan A. Sylvan kayvan at sylvan.com
Mon Apr 24 21:47:52 UTC 2006 

Anyone on the fedora-selinux-list have any clues for how to proceed with
this problem?

In a nutshell: I can not get dump to restore the xattr file attributes
when booted into the FC5 rescue DVD.

Thanks for any answers or ideas!

----- Forwarded message from "Kayvan A. Sylvan" <kayvan at sylvan.com> -----

Date: Sun, 23 Apr 2006 18:44:37 -0700
From: "Kayvan A. Sylvan" <kayvan at sylvan.com>
To: For users of Fedora Core releases <fedora-list at redhat.com>
Subject: Re: dump/restore and SElinux security context problem

On Sun, Apr 23, 2006 at 02:39:43PM -0400, Tony Nelson wrote:
> At 8:06 PM -0700 4/22/06, Kayvan A. Sylvan wrote:
> >I used "dump" to create a snapshot of a filesystem, then, using
> >the FC5 DVD to boot into rescue mode, used "restore" to recreate it.
> >
> >The problem: during the restore, for every file, I get messages like this:
> >
> >    restore: lsetxattr ./System.map-2.6.15-1.1833_FC4 failed: Invalid argument
> 
> When booting the rescue CD, use the kernel command line:
> 
>     linux rescue enforcing=0
> 
> along with any other options you need (when I remember, I use "hda=noprobe
> hdb=noprobe").

This seemed to produce no different effect.

The portion of the dmesg output (when booting the rescue CD) follows:

  security:  3 users, 6 roles, 1161 types, 135 bools, 1 sens, 256 cats
  security:  55 classes, 38679 rules
  SELinux:  Completing initialization.
  SELinux:  Setting up existing superblocks.
  SELinux: initialized (dev loop0, type squashfs), not configured for labeling
  SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
  SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
  SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
  SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
  SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
  SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
  SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
  SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
  SELinux: initialized (dev devpts, type devpts), uses transition SIDs
  SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
  SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
  SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
  SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
  SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
  SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
  SELinux: initialized (dev cpuset, type cpuset), not configured for labeling
  SELinux: initialized (dev proc, type proc), uses genfs_contexts
  SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
  SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
  SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
  audit(1145840702.919:2): avc:  denied  { transition } for  pid=651 comm="loader" name="bash" dev=loop0 ino=1500 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:anaconda_t:s0 tclass=process
  [...]
  SELinux: initialized (dev sda1, type ext2), uses xattr
  kjournald starting.  Commit interval 5 seconds
  EXT3 FS on sda1, internal journal
  EXT3-fs: mounted filesystem with ordered data mode.
  SELinux: initialized (dev sda1, type ext3), uses xattr

After the restore, the "ls -lZ" output, while still booted in the rescue
mode, shows this (it's identical for all files):

-rw-r--r-- root root  system_u:object_r:file_t:s0  vmlinuz-2.6.16-1.2069_FC4smp

Once booted back up in the FC4 system, the same file shows up as:

-rw-r--r-- root root  system_u:object_r:unlabeled_t vmlinuz-2.6.16-1.2069_FC4smp

I am wondering if I have to have the same SELinux policy loaded while
in the rescue mode in order to avoid the "lsetxattr: invalid argument"
error? How would I go about doing that?

			---Kayvan
----- End forwarded message -----

-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)

More information about the fedora-selinux-list mailing list