How to back up SELinux contexts?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

How to back up SELinux contexts?

Troels Arvin-2
Hello,

I'm backing up a Red Hat Enterprise Linux 4 with enabled SELinux support.
It seems that SELinux "security contexts" for files aren't backed up by
rdiff-backup.

I tought that SELinux's security contexts were implemented by extended
attributes (and that rdiff-backup would therefore be able to record them),
but - well, rdiff-backup doesn't seem to store them, even when doing
filesystem-to-filesystem backups on the same file system (no network
in-between).

The file system is ext3, and the "Filesystem features" row of tune2fs
output claims "ext_attr" (among other things). However, strangely, this
doesn't work:

cd /var/test
touch foo
setfattr -u bar -v baz foo

Error message: "setfattr: foo: Operation not supported".

And "getfattr foo" simply shows nothing for the file.

However, "ls -lZ foo" yields:
-rw-r--r-- root root root:object_r:var_lib_t foo
- so the file certainly has a security context.

strace'ing on "ls -lZ foo" shows calls to getxattr and lgetxattr (can't
find any man pages on these functions).

So something "fishy" is going on; probably a strange interaction between
SELinux and the "normal" was of obtaining file extended attributes. It
even seems that two different types of file extended attributes exist:
user extended attributes, and system extended attributes. Hmm.

I'm thinking: rdiff-backup could probably somehow be modified to obtain
SELinux security contexts. Gentoo seems to have a python-selinux package,
but I can't find it elsewhere. If I find out which c library has
getxattr()/lgetxattr(): Is it possible for rdiff-backup to issue c library
functions, without having a python-selinux layer installed?

--
Greetings from Troels Arvin




_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: How to back up SELinux contexts?

dean gaudet-4
On Wed, 25 Jan 2006, Troels Arvin wrote:

> I'm backing up a Red Hat Enterprise Linux 4 with enabled SELinux support.
> It seems that SELinux "security contexts" for files aren't backed up by
> rdiff-backup.
>
> I tought that SELinux's security contexts were implemented by extended
> attributes (and that rdiff-backup would therefore be able to record them),
> but - well, rdiff-backup doesn't seem to store them, even when doing
> filesystem-to-filesystem backups on the same file system (no network
> in-between).

you probably need to install pyxattr package... i don't know the redhat
package name.  install pylibacl while you're at it...

-dean



_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: How to back up SELinux contexts?

Troels Arvin-2
On Thu, 26 Jan 2006 16:48:42 -0800, dean gaudet wrote:

> you probably need to install pyxattr package... i don't know the redhat
> package name.  install pylibacl while you're at it...

I already have the "python-xattr" and "python-libacl" packages installed
on both the production and backup servers.

--
Greetings from Troels Arvin




_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: Re: How to back up SELinux contexts?

dean gaudet-4
On Fri, 27 Jan 2006, Troels Arvin wrote:

> On Thu, 26 Jan 2006 16:48:42 -0800, dean gaudet wrote:
>
> > you probably need to install pyxattr package... i don't know the redhat
> > package name.  install pylibacl while you're at it...
>
> I already have the "python-xattr" and "python-libacl" packages installed
> on both the production and backup servers.

dumb selinux question... does rdiff-backup have permissions to read all
the attributes?  i assume selinux has some way of controlling that...

-dean


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: Re: How to back up SELinux contexts?

dean gaudet-4
On Fri, 27 Jan 2006, dean gaudet wrote:

> On Fri, 27 Jan 2006, Troels Arvin wrote:
>
> > On Thu, 26 Jan 2006 16:48:42 -0800, dean gaudet wrote:
> >
> > > you probably need to install pyxattr package... i don't know the redhat
> > > package name.  install pylibacl while you're at it...
> >
> > I already have the "python-xattr" and "python-libacl" packages installed
> > on both the production and backup servers.
>
> dumb selinux question... does rdiff-backup have permissions to read all
> the attributes?  i assume selinux has some way of controlling that...

also further dumb selinux question... i wonder if rdiff-backup's
filesystem capabilities detection code is getting errors because selinux
is preventing it from testing extended attributes... you might try running
with a -vN for some N>4 to get more verbose logging.

and for restores it would certainly need to be able to recreate all
selinux attributes -- a privelege level which is almost certainly not the
default for all binaries even when run as root...

-dean


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: How to back up SELinux contexts?

Ben Escoto
In reply to this post by Troels Arvin-2
>>>>> Troels Arvin <[hidden email]>
>>>>> wrote the following on Wed, 25 Jan 2006 16:56:39 +0100
>
> So something "fishy" is going on; probably a strange interaction between
> SELinux and the "normal" was of obtaining file extended attributes. It
> even seems that two different types of file extended attributes exist:
> user extended attributes, and system extended attributes. Hmm.

Yes, this is correct, sometimes (when I'm being more careful) I say that
rdiff-backup supports user extended attributes.  ACLs are stored as
extended attributes also, but supporting them didn't come automatically
with EA support...

I was hoping that the ACL support would cover the selinux stuff.  I'm
pretty ignorant of selinux so if the selinux stuff doesn't count as ACLs
I'm not sure how to add support.

> I'm thinking: rdiff-backup could probably somehow be modified to obtain
> SELinux security contexts. Gentoo seems to have a python-selinux package,
> but I can't find it elsewhere. If I find out which c library has
> getxattr()/lgetxattr(): Is it possible for rdiff-backup to issue c library
> functions, without having a python-selinux layer installed?

selinux may show up under getxattr, but I don't think it's possible to
write them with setfattr (as you saw).  Having read-only selinux support
would be pretty pointless, so someone needs to find out how to create
those selinux things.

rdiff-backup contains some C code, so it can call C functions.  I'm not
really a C guy though, so I prefer to rely on existing wrapper modules
where they exist.


--
Ben Escoto

_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: How to back up SELinux contexts?

Troels Arvin-2
In reply to this post by dean gaudet-4
On Fri, 27 Jan 2006 12:15:54 -0800, dean gaudet wrote:
>> dumb selinux question... does rdiff-backup have permissions to read all
>> the attributes?  i assume selinux has some way of controlling that...

root can read the contexts, e.g. with "ls -lZ" (note the Z); I don't know
exactly how it's done (behind the scenes).

> also further dumb selinux question... i wonder if rdiff-backup's
> filesystem capabilities detection code is getting errors because selinux
> is preventing it from testing extended attributes... you might try
> running with a -vN for some N>4 to get more verbose logging.

"rdiff-backup -v 4 /var/lib/rpm /root/test/rpm yields:
=================================================================
ACLs not supported by filesystem at /var/lib/rpm
-----------------------------------------------------------------
Detected abilities for source (read only) file system:
  Access control lists                         Off
  Extended attributes                          On
  Mac OS X style resource forks                Off
  Mac OS X Finder information                  Off
-----------------------------------------------------------------
Extended attributes not supported by filesystem at test/rpm/rdiff-backup-data/rdiff-backup.tmp.0
ACLs not supported by filesystem at test/rpm/rdiff-backup-data/rdiff-backup.tmp.0
-----------------------------------------------------------------
Detected abilities for destination (read/write) file system:
  Characters needing quoting                   ''
  Ownership changing                           On
  Hard linking                                 On
  fsync() directories                          On
  Directory inc permissions                    On
  High-bit permissions                         On
  Access control lists                         Off
  Extended attributes                          Off
  Mac OS X style resource forks                Off
  Mac OS X Finder information                  Off
-----------------------------------------------------------------
Starting mirror /var/lib/rpm to test/rpm
=================================================================

In this test, I'm backing up on the same system (and even on the same file
system), as root. I'm not 100% sure of what the file system _really_
permits, but it's strange that the value of "Extended attributes" differs.
And I find it strange that ACLs aren't seen as supported, but I'll have to
look closer into it (it could be that I need to do something to turn them
on).

> and for restores it would certainly need to be able to recreate all
> selinux attributes -- a privelege level which is almost certainly not
> the default for all binaries even when run as root...

Well, I can easily use the "chcon" utility as root, so nothing should
prevent the same kind of operation when restoring. But as this point, I'm
mostly interested in finding out why rdiff-backup isn't recording the
security context values in the metadata database.

--
Greetings from Troels Arvin




_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: How to back up SELinux contexts?

Troels Arvin-2
In reply to this post by Ben Escoto
On Sun, 29 Jan 2006 16:27:08 -0600, Ben Escoto wrote:
> rdiff-backup contains some C code, so it can call C functions.  I'm not
> really a C guy though, so I prefer to rely on existing wrapper modules
> where they exist.

I think I'll look closer into how Gentoo's python-selinux package works,
and try to port it to a test Red Hat-like system.

--
Greetings from Troels Arvin




_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki