rsync as backup for laptop to desktop external HD

Forrest Taylor ftaylor at redhat.com
Mon Oct 6 15:28:07 UTC 2008 

On Fri, 2008-10-03 at 07:33 +0000, Mike wrote:
> I have for many years run backups from laptops on the local LAN to an external
> USB drive attached to the main desktop machine using rsync -aH. 
> The main desktop is running F8 with SELinux disabled.
> 
> In recent months I upgraded the laptop to F9 with SELinux enabled.
> 
> I have just realised that the method I use gives files on the backup drive
> that have no selinux contexts... so in the event of having to rebuild a laptop
> and pulling files off the backup drive the selinux contexts would have to be
> recreated.
> 
> I am fairly new to SELinux but I presume that merely adding -X to the rsync
> command would still not produce any contexts on the files that are generated
> on the backup drive since the machine that is processing the rsync at the
> receive end has SELinux disabled.

That is correct.  The remote OS does not understand the SELinux
contexts, so you will get many errors when you try the -X option.

> At some point the desktop will be upgraded to F9 (and later F10) with SELinux
> enabled - and I am now not sure if attaching the original external USB drive
> unchanged would then still result in files without any security contexts on
> the external drive?

Be careful using two different operating systems with rsync--if the
local OS is trying to backup to the remote OS, and the remote OS doesn't
know about the contexts on the local OS, you will again have errors.

> If this is the case would I need to label the filesystem on the external drive?
> What is the best route to getting this backup system working to preserve
> security contexts for all files (including system areas such as /var /etc ?

Before it gets too complex, let me just say that you may be able to
simply use `restorecon -Rv /etc` to restore contexts to everything
in /etc/.  This may be the simplest solution.

Baring that, the easiest way to get backups with good contexts is to use
getfattr to store the current contexts to a file.  You will be able to
use the file to restore contexts.

If you wanted to backup the SELinux attributes for all files/dirs
in /etc/, for example, run: 

getfattr -Rdh -m security.selinux /etc > /etc/SELinux-attrs

If you wanted to restore from backup, do the data restore, then run the
following:

cd /
setfattr -h --restore=/etc/SELinux-attrs

Run `ls -Z /etc/` to verify proper context.

-- 
Forrest Taylor
Global Learning Services Project Manager III
Cell: 303-913-5169
AIM: forresttaylorred
Red Hat IRC: forrest

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081006/d5c50b9b/attachment.sig>

More information about the fedora-selinux-list mailing list