 |
Page 1 of 1
|
| Author |
Message |
Troels Arvin
Guest
|
 How to back up SELinux contexts?
Hello,
I'm backing up a Red Hat Enterprise Linux 4 with enabled SELinux support.
It seems that SELinux "security contexts" for files aren't backed up by
rdiff-backup.
I tought that SELinux's security contexts were implemented by extended
attributes (and that rdiff-backup would therefore be able to record them),
but - well, rdiff-backup doesn't seem to store them, even when doing
filesystem-to-filesystem backups on the same file system (no network
in-between).
The file system is ext3, and the "Filesystem features" row of tune2fs
output claims "ext_attr" (among other things). However, strangely, this
doesn't work:
cd /var/test
touch foo
setfattr -u bar -v baz foo
Error message: "setfattr: foo: Operation not supported".
And "getfattr foo" simply shows nothing for the file.
However, "ls -lZ foo" yields:
-rw-r--r-- root root root:object_r:var_lib_t foo
- so the file certainly has a security context.
strace'ing on "ls -lZ foo" shows calls to getxattr and lgetxattr (can't
find any man pages on these functions).
So something "fishy" is going on; probably a strange interaction between
SELinux and the "normal" was of obtaining file extended attributes. It
even seems that two different types of file extended attributes exist:
user extended attributes, and system extended attributes. Hmm.
I'm thinking: rdiff-backup could probably somehow be modified to obtain
SELinux security contexts. Gentoo seems to have a python-selinux package,
but I can't find it elsewhere. If I find out which c library has
getxattr()/lgetxattr(): Is it possible for rdiff-backup to issue c library
functions, without having a python-selinux layer installed?
--
Greetings from Troels Arvin
|
| Wed Jan 25, 2006 8:10 am |
|
|
dean gaudet
Guest
|
How to back up SELinux contexts?
On Wed, 25 Jan 2006, Troels Arvin wrote:
I'm backing up a Red Hat Enterprise Linux 4 with enabled SELinux support.
It seems that SELinux "security contexts" for files aren't backed up by
rdiff-backup.
I tought that SELinux's security contexts were implemented by extended
attributes (and that rdiff-backup would therefore be able to record them),
but - well, rdiff-backup doesn't seem to store them, even when doing
filesystem-to-filesystem backups on the same file system (no network
in-between).
you probably need to install pyxattr package... i don't know the redhat
package name. install pylibacl while you're at it...
-dean
|
| Thu Jan 26, 2006 4:51 pm |
|
|
Troels Arvin
Guest
|
How to back up SELinux contexts?
On Thu, 26 Jan 2006 16:48:42 -0800, dean gaudet wrote:
you probably need to install pyxattr package... i don't know the redhat
package name. install pylibacl while you're at it...
I already have the "python-xattr" and "python-libacl" packages installed
on both the production and backup servers.
--
Greetings from Troels Arvin
|
| Thu Jan 26, 2006 11:40 pm |
|
|
Ben Escoto
Guest
|
How to back up SELinux contexts?
Troels Arvin <troels < at > arvin.dk>
wrote the following on Wed, 25 Jan 2006 16:56:39 +0100
So something "fishy" is going on; probably a strange interaction between
SELinux and the "normal" was of obtaining file extended attributes. It
even seems that two different types of file extended attributes exist:
user extended attributes, and system extended attributes. Hmm.
Yes, this is correct, sometimes (when I'm being more careful) I say that
rdiff-backup supports user extended attributes. ACLs are stored as
extended attributes also, but supporting them didn't come automatically
with EA support...
I was hoping that the ACL support would cover the selinux stuff. I'm
pretty ignorant of selinux so if the selinux stuff doesn't count as ACLs
I'm not sure how to add support.
I'm thinking: rdiff-backup could probably somehow be modified to obtain
SELinux security contexts. Gentoo seems to have a python-selinux package,
but I can't find it elsewhere. If I find out which c library has
getxattr()/lgetxattr(): Is it possible for rdiff-backup to issue c library
functions, without having a python-selinux layer installed?
selinux may show up under getxattr, but I don't think it's possible to
write them with setfattr (as you saw). Having read-only selinux support
would be pretty pointless, so someone needs to find out how to create
those selinux things.
rdiff-backup contains some C code, so it can call C functions. I'm not
really a C guy though, so I prefer to rely on existing wrapper modules
where they exist.
--
Ben Escoto
|
| Sun Jan 29, 2006 2:30 pm |
|
|
Troels Arvin
Guest
|
How to back up SELinux contexts?
On Sun, 29 Jan 2006 16:27:08 -0600, Ben Escoto wrote:
rdiff-backup contains some C code, so it can call C functions. I'm not
really a C guy though, so I prefer to rely on existing wrapper modules
where they exist.
I think I'll look closer into how Gentoo's python-selinux package works,
and try to port it to a test Red Hat-like system.
--
Greetings from Troels Arvin
|
| Sun Jan 29, 2006 11:24 pm |
|
|
|
|
The time now is Fri May 25, 2012 5:26 pm | All times are GMT - 8 Hours
| |
Page 1 of 1
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
