dump/restore (or "star") and SELinux problems

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 27 16:54:57 UTC 2006


On Wed, 2006-04-26 at 14:14 -0700, Kayvan A. Sylvan wrote:
> Hi folks,
> 
> I am trying again. I haven't gotten an answer that works yet and hoping that
> people who know more about SELinux and Fedora can see this and suggest
> a solution (or at least a way to investigate).
> 
> My goal: To be able to reszie a partition (or rearrange filesystems) without
> losing any data or meta-data.
> 
> parted is useless, since it won't handle the xattr filesystem data.
> 
> I used dump to create a filesystem backup, then used the FC5 Install DVD
> to go into rescue mode and restore the dump. That seem to work okay for
> the file data. However, for each and every file, I get the message:
> 
>     restore: lsetxattr ./filename_being_restored failed: Invalid argument
> 
> Using "ls -Z", I see that all the files end up being unlabeled (or they
> are in the unlabeled_t context).
> 
> These files were all set up in Fedora FC4, using the targeted policy.

Ok, so the problem here is that dump is saving the raw attribute values
(which lack the MLS field since they came from FC4) and then calling
lsetxattr() with those raw attribute values, and the FC5 kernel is then
rejecting them since they lack the field.  Related to:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189845

If restore instead used lsetfilecon(3), the attribute would be extended
appropriately.  Short term workaround for you would be to run restorecon
on the filesystem after restoring it to fix up the labels.

> I have also tried using "star" with the following args:
> 
>   star -v -c -xdev -sparse -acl -link-dirs level=0 -wtardumps \
>         f=root.star -C / .
> 
> And then, when booted into the rescue mode, did the following to extract:
> 
>   star -xpU -restore f=root.star

Did you try following the instructions in the SELinux FAQ:
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2978236

In particular, using -xattr and -H=exustar options.  -acl is specific to
POSIX ACLs I believe.

> This produced the same result. The files end up being unlabeled.
> 
> I am wondering if I have to have the same SELinux policy loaded while
> in the rescue mode in order to avoid the "lsetxattr: invalid argument"
> error? How would I go about doing that?

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list