rsync as backup from f11 to F10 - issues

Thu Aug 13 17:46:19 UTC 2009

On 08/13/2009 05:26 AM, Mike Cloaked wrote:
> 
> 
> 
> Mail Lists-3 wrote:
>>
>>
>>    Cant speak for others but I do not backup selinux labels. I cannot
>> speak to other attributes or ACL's.
>>
>>   I think of selinux labels as belonging to the host server policy not
>> the backup machine - so the policy in my mind comes from the target
>> where the backups would be restored to.
>>
>>   So, if you backed up /home/cloaked/foo and restored it to
>> bing:/home/cloaked/foo then I would expect the labels to come from the
>> policy on bing - whether or not the backup was made from bing or
>> somewhere else.
>>
>>
>>
>>>> How would this differ if rdiff-backup was used instead?  Since
>>>> rdiff-backup is rsync based ....
>>
>>   Dunno - I kind of thought rdiff-backup had better extended attribute
>> handling than rsync itself and its my preferred tool anyway.
>>
>>  gene/
>>
>>
> 
> Generally true - but one situation I found the backup done my way that I
> liked, to include labels, was when transitioning from F10 to F11 where I had
> specific labels on some files in /opt to avoid avc denials in F10.  
> 
> In order to move to F11 with ext4 what I did was to create a backup on the
> external drive and included the original labelling for F10, for the entire
> /opt structure.  Then when I installed F11, I allowed the installer to
> format both / and /opt with ext4.  Then once the install was completed I
> restored the /opt backup to the new /opt partition for F11 including the old
> F10 labels, and was able to progress using the files with their old contexts
> apart from an occasional need to change a context.
> 
> Presumably had I restored using rsync -aH only then the file contexts would
> have been made according to the F11 current policy and not been a generic
> "file_t".  Some instances would certainly not have worked such as a mail
> spool area on /opt that would not have been given their correct mail related
> contexts after the restore - although I don't know if the mail spool area,
> once bind mounted onto the root directory mail spool, would then get their
> correct contexts if I used a restorecon command on the mail spool at that
> time?
> 
> I don't know if the same also would then apply to user areas residing on the
> /opt/Local/home directory? Again initially the files would have incorrect
> contexts restoring using rsync -aH and again once bind mounted to /home
> would restorecon put the correct labels back?
> 
I am not a sysadm, but I think it is better to backup the the files with saving the labeling, then running restorecon after you restore the labels.

If you want to change the labels some where on a system you should tell SELinux about this using the semanage fcontext -a command.

Then restorecon will fix the labels.

The problem with moving labels from one machine to another, is that you may not have the same security labels available on both machines as you have seen.  If you had both machines running the same policy, it would have worked.